According to a press release by the UK's Information Commissioner's Office, the biggest security risks come from theft and burglary. Based on what I'm reading, I would assume that the use of data encryption prevent many information security breach instances occurring from theft.
By law, companies in the UK who have experienced a data breach must report them to the Information Commissioner. The ICO has been receiving such notices ever since CDs with the information of 25 million child benefit records went missing. Of the notices compiled over two years: A total of 711 organizations have reported a breach to date 231 of the breaches involved theft (laptops, USB memory sticks, external hard disks) 200 private companies and 209 NHS trusts have experienced breaches. As mentioned earlier, theft of digital devices (I take it this does not include losses of devices, but outright physical intention to steal) was the main driver of announced breaches.
By law, companies in the UK who have experienced a data breach must report them to the Information Commissioner. The ICO has been receiving such notices ever since CDs with the information of 25 million child benefit records went missing. Of the notices compiled over two years:
As mentioned earlier, theft of digital devices (I take it this does not include losses of devices, but outright physical intention to steal) was the main driver of announced breaches.
The ICO currently doesn't have the ability to do anything about such reported breaches because they lack the required legislative power. However, this power will be soon in coming. Starting in 2010, the ICO gains the ability to imposing fines for data breaches. As of yet, it's not know how big a monetary penalty can be imposed.
The ICO currently doesn't have the ability to do anything about such reported breaches because they lack the required legislative power. However, this power will be soon in coming. Starting in 2010, the ICO gains the ability to imposing fines for data breaches.
As of yet, it's not know how big a monetary penalty can be imposed.
One of the ways a company can protect itself from such fines is via the use of encryption software. As far as I know, there are no legal requirements for companies to encrypt sensitive data. However, there is a legal requirement for companies to protect sensitive data. Case after case seems to show that the use of encryption fulfills that legal requirement. In instances where encrypted devices are lost or stolen, the organization seems to get a slap on the wrist (and with good reason, too. Encryption goes a long way towards protecting information if a laptop computer is stolen). In the event that encryption was not used, many affected organizations will agree to a formal Undertaking to beef up security. I have always seen a clause to use encryption on any laptops and other portable media devices that carry sensitive or personal data in those Undertakings.
One of the ways a company can protect itself from such fines is via the use of encryption software. As far as I know, there are no legal requirements for companies to encrypt sensitive data.
However, there is a legal requirement for companies to protect sensitive data. Case after case seems to show that the use of encryption fulfills that legal requirement.
In instances where encrypted devices are lost or stolen, the organization seems to get a slap on the wrist (and with good reason, too. Encryption goes a long way towards protecting information if a laptop computer is stolen).
In the event that encryption was not used, many affected organizations will agree to a formal Undertaking to beef up security. I have always seen a clause to use encryption on any laptops and other portable media devices that carry sensitive or personal data in those Undertakings.
Related Articles and Sites:http://www.ico.gov.uk/upload/documents/pressreleases/2009/nadpo_111109.pdfhttp://www.databreaches.net/?p=8210