What to do about UK data breaches?

Another day, another (damning) survey.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

  1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
  2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
  3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.