Council punished over theft of laptops from locked room Privacy watchdog the Information Commissioner's Office (ICO) has taken action against a local authority which lost two laptop computers, despite the fact that they were stored in a locked office and password-protected. The ICO has found that the Council was in breach of the Data Protection Act (DPA) and The Highland Council …
Given they were password protected and stored in a locked room might seem sufficient but the ICO is correct in saying that personal data should be encrypted. Encryption shouldn't be optional, it does need to be mandatory with this type of data. That should be on all devices not just mobile/portable.
"... despite the fact that they were stored in a locked office and password-protected."
So what? That's the least possible amount of security. If you have a corporate laptop joined to a domain it will always require a password. And who doesn't lock their office? That's not securing data, that's just having a door on the building.
It seems entirely reasonable to expect them to better secure sensitive information than just to lock the door and have it on a laptop. They could only protect it worse by printing bill posters of the data and stickering them across the outside of the building.
...meaning the absolute best case, assuming it's a bios password and being a laptop it doesn't let you reset it, is that the bad guys have to go to the "effort" of extracting the hard drive to get at the details.... not very good, is it?
I'll admit they were probably stolen for the kit rather then specifically for the data, but I bet whatever man down the pub techy they use to wipe them knows someone who knows someone who pays for that sort of thing...
OK, put aside the ins and outs of this particular case and just how many locked rooms a lappy with personal data has be stored in to satisfy this particular QANGO. Let's talk about what will happen in the future, now that we have been told the ICO are being given the power to levy fines.
In times to come they will have the right to extract money from transgressors. In the case of fining a local authority, just who gets hurt? Not the individual who's lax observance of the rules led to the lapse (well, they might get told how naughty they've been and please don't do it again, or we'll have to suspend you on full pay and send you to your room), as council workers are pretty much bullet-proof: short of causing people to die, anyway. Nor will blame be apportioned to the committees that came up with the inadequate security measures in the first place.
Given that in future those local authorities who are found guilty and fined for their shortcomings will not suffer the consequences themselves, it's hard to see what the point of punishing their tax-payers would be.
The fine will become the burden of the council-tax payers. It will reduce the council's available cash, so either they will raise council taxes to account for it, or they will reduce services to balance the budget. Given that they are not accountable to their "customers", who most councils regard as merely a source of never-ending revenue: it's difficult to see how imposing a financial penalty on an organisation who will just pass it on to the innocent, but easily-tappable residents would be any sort of deterrent.
....I would bet that noone gives two tosses about the `sensitive` data on these laptops.... stolen laptop = 50/100 quid on street = easy money.
As for disk encryption , everyone knows its far far easier to get information from staff than an encrypted disk - do a good enough job and they'll email you a copy of most things you want to know, or give you their password. Or wait til they are logged on and then pop in to do some work on their PC as a techie, or whatever.
People are and always will be open to coercion and persuasion, computers ain't.
I think this is a bit overboard. It's not like all the physical Doctor and medical notes are written in hieroglyphics or some complex encrytion. There was clearly restricted access to the media, yes it would be more effective if the content were encrypted but I don't think it's like the council were leaving memory sticks and laptops on tube trains. Ahem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
