What to do about UK data breaches?
Another day, another (damning) survey.
A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”
This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies:
- Leicestershire City Council lost an unencrypted USB stick containing personal information of 80 children;
- a Scottish advocate whose unencrypted laptop (containing personal data of individuals involved in cases she was working on) was stolen while she was on holiday;
- An ASCL employee had a laptop containing unencrypted personal data stolen from home;
- Holly Park School in London had an unencrypted laptop stolen from an unlocked office at the school;
- Two London Housing Associations allowed details of thousands of their tenants to find their way onto an unencrypted USB stick belonging to one of their contractors – which was then left in a pub!;
- Southwark council ‘misplaced’ - for two years – an unencrypted laptop containing the personal information of 7,200 people – which was then found on a skip;
- A survey revealed that 17,000 USB sticks were left in dry cleaners during 2010!
The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.
And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:
“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”
There are three things that every organisation must do as a matter of course:
- Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
- Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
- Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.
Any organisation can do these three things. It isn’t hard.
We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.