The Information Commissioner's Office has a formal undertaking with the Department of Finance and Personnel (DFP) of Northern Ireland. The department lost 12 laptops, none of them secured with drive encryption. (Otherwise, there would be no need for an undertaking.)
Of the 12 laptops stolen, two of them contained personal data on a total of 37,000 people. They included payroll, employment, health data, or a combination of these. Bank details were also included for 900 people. What's of note in this particular case is that the laptops were secured to desks or stored in locked cabinets. In other words, there was no laxity when it comes to security. Sure, it's physical security; however, most regulations I've encountered seem to equate physical security of computers as equal to data protection via encryption software. I'm not sure where I read it, but there was a specific regulation (perhaps under the USA's HIPAA?) that essentially instructed for physically unsecured laptops to be protected with encryption. The implication is that, if the laptop is being used as a stand-in for a desktop--and will hence remain in the office--then the use of encryption is not necessary. Not so with the UK's Information Commissioner, though. Despite the fact that the DFP has physical security measures in place, the ICO is still requiring for the department to use encryption on "laptops and other portable media used to store and transmit personal data."
Of the 12 laptops stolen, two of them contained personal data on a total of 37,000 people. They included payroll, employment, health data, or a combination of these. Bank details were also included for 900 people.
What's of note in this particular case is that the laptops were secured to desks or stored in locked cabinets. In other words, there was no laxity when it comes to security. Sure, it's physical security; however, most regulations I've encountered seem to equate physical security of computers as equal to data protection via encryption software.
I'm not sure where I read it, but there was a specific regulation (perhaps under the USA's HIPAA?) that essentially instructed for physically unsecured laptops to be protected with encryption. The implication is that, if the laptop is being used as a stand-in for a desktop--and will hence remain in the office--then the use of encryption is not necessary.
Not so with the UK's Information Commissioner, though. Despite the fact that the DFP has physical security measures in place, the ICO is still requiring for the department to use encryption on "laptops and other portable media used to store and transmit personal data."
I don't have an issue with the decision per se, but what the UK regulations imply. The law notes that anything that's portable ought to be included if sensitive information is saved on it, but what does it mean by portable? I don’t think "portable" refers to the literal definition, "easily or conveniently transported," but that something was designed for portability. Let us make use of thought experiment, shall we? What if the DFP had used, instead of laptop computers, desktop computers at its offices? Would they still have had a data breach? I'd emphatically answer yes. If they had time to steal physically secured laptops, then they probably would have been able to pull the same stunt with desktop computers as well. Especially with the newer models. Take the case of the Dell Inspiron (Model: I545S-3055NBK...this is not a plug for a product. I'm just leaving evidence that this thing exists). It weighs 16 lbs (that's about 8 kg, for you metric guys), and has dimensions of 14.9" x 4.2" x 17". I mean, I know of Chihuahuas that are bigger and heavier than that! I know the ICO means well, but this ruling on how laptops have to be encrypted, but desktops of similar size don't need to be, seems quite arbitrary.
I don't have an issue with the decision per se, but what the UK regulations imply. The law notes that anything that's portable ought to be included if sensitive information is saved on it, but what does it mean by portable?
I don’t think "portable" refers to the literal definition, "easily or conveniently transported," but that something was designed for portability. Let us make use of thought experiment, shall we?
What if the DFP had used, instead of laptop computers, desktop computers at its offices? Would they still have had a data breach? I'd emphatically answer yes. If they had time to steal physically secured laptops, then they probably would have been able to pull the same stunt with desktop computers as well.
Especially with the newer models. Take the case of the Dell Inspiron (Model: I545S-3055NBK...this is not a plug for a product. I'm just leaving evidence that this thing exists). It weighs 16 lbs (that's about 8 kg, for you metric guys), and has dimensions of 14.9" x 4.2" x 17".
I mean, I know of Chihuahuas that are bigger and heavier than that!
I know the ICO means well, but this ruling on how laptops have to be encrypted, but desktops of similar size don't need to be, seems quite arbitrary.
Related Articles and Sites:http://news.zdnet.co.uk/security/0,1000000189,39948421,00.htm?s_cid=248http://www.ico.gov.uk/upload/documents/pressreleases/2009/dept_for_finance_and_personnel_171209.pdfhttp://reviews.cnet.com/desktops/dell-inspiron-i545s-3055nbk/4505-3118_7-33777296.html