Turns out that password protection just ain't enough anymore. Councils need to encrypt laptops as well, and this was an expensive lesson for London councils of Ealing and Hounslow to learn.
According to the Information Commissioner's Office (ICO), Ealing council provides an out-of-hours service staffed by nine work-from-home employees. This team are responsible for collating and recording information on clients from the Ealing and Hounslow councils on their laptops.
So far, so good.
Except that two of these council-issued laptops were stolen from an employee's home. The ICO reports that the laptops contained details of almost 3000 individuals. Despite encryption being part of the council security policy, the laptops only had a password to protect the individuals' privacy.
The good news is that there is no evidence to suggest that the data was accessed by an unauthorised third party. Nevertheless, Ealing and Hounslow councils were fined £80,000 and £70,000 respectively for breaching the Data Protection Act.
What occurs to me here is that once these fines are paid, who should be the benefactor?
Following the incident, both councils contacted the individuals whose data was at put at risk. I am sure these councils will be reviewing their security policy at a result of this action from the ICO, and let's hope other councils realise the costly implications of having unprotected personal data on their computers.
If you want to learn about how to protect against data loss, you can request Sophos's Data Leakage for Dummies or visit this page for information on how to avoid becoming a data loss headline.
You may also want to check out the views of Sophos's Graeme Stewart, who blogs about public sector security and rarely minces his words. His latest post is entitled: "Exactly what sort of deterrent are these ICO fines?"
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
Nevermind where the money goes - where does the money come from - that's right -council tax payers are footing the bill for council bungling.
These fines could have payed for employing a decent security professional.
Not the first time Ealing council has been caught with the information security pants down either - having been hit by a virus outbreak costing them a large amount of money to rectify.
Maybe sensitive data should only be on external secure flash memory that can easily be hidden in plain site vs in plain site laptops.
If stick is inserted into wrong machine, it's deleted in a flash before it can be opened.
If high profile $3-5k machine is always in view as you travel, someone is going to want it more than you.
I work for the NHS. Similarly we have laptops, and it has been decreed that these should be encrypted. However, they are old and rubbish. When the encryption is installed, it makes them even worse. It takes 20 minutes from the machines being turned on to actually being able to start a program to do something.
So perhaps the money could go towards getting better hardware that actually makes encryption feasible.
It's time someONE, not some ORGANISATION was made accountable and fined. Rather than the people whose data were compromised having to suffer again by THEIR hard earned cash being used to pay a fine to a crime where THEY were the victim; fine the person in charge of data security, or better still the leader of the council.