Manchester City Council has been found in breach of the Data Protection Act (DPA) by the Information Commissioner's Office. Two laptop computers that did not feature hard disk encryption were stolen. Had data security software like AlertBoot endpoint encryption been used, the personal details of 1,754 employees would not have fallen into the wrong hands.
According to the signed undertaking, the two laptops were stolen while their batteries were being charged in the main office. Weird. Don't they have to outlets in more secure areas? To boot, the computers were not chained to a desk; feature data encryption, as mentioned above; or even have something as lowly as password-protection in place. And, since these laptops were stolen, I presume no one was watching over these two computers while they were being charged, either. Conclusion: there was absolutely no data security in place whatsoever. The presence of any of the above (with password-protection coming in last) would have meant that the risks of a full-blown data breach would have been greatly mitigated. Have two or more, and the risks would have been mitigated furthermore. (My guess is the presence of a person watching over the laptops would have prevented the data breach.)
According to the signed undertaking, the two laptops were stolen while their batteries were being charged in the main office. Weird. Don't they have to outlets in more secure areas?
To boot, the computers were not chained to a desk; feature data encryption, as mentioned above; or even have something as lowly as password-protection in place. And, since these laptops were stolen, I presume no one was watching over these two computers while they were being charged, either.
Conclusion: there was absolutely no data security in place whatsoever. The presence of any of the above (with password-protection coming in last) would have meant that the risks of a full-blown data breach would have been greatly mitigated. Have two or more, and the risks would have been mitigated furthermore. (My guess is the presence of a person watching over the laptops would have prevented the data breach.)
The problem is, you can't realistically have people guarding computers 24/7 throughout the year. To begin with, it costs too much. Plus, people are quite fallible. I think it was only a month ago I read a case where a security guard (the only security guard) left his post in the middle of the night to get a late night snack from McD's. Someone broke into the building while the guard was gone, and laptops were stolen. So what can one do? Well, security generally requires layers, so that if one layer is penetrated, another set of layers will further obstruct access to the information. Besides having a person watching over computers, companies can do the following to minimize the risks of a data breach: Use physical security: locked doors, cable locks, locked cabinets, etc...anything with a lock Restrict what type of data is saved on computers: if a computer doesn't have sensitive data, and it's stolen, that's not a breach; it's just good, old-fashioned theft. I'm not saying that's a good thing, or that it's acceptable--but, it should be pointed out that the ramifications of a computer theft are less than that of a data breach Use encryption: if you have to have sensitive information on a portable medium, at least make it so unauthorized people will find it nearly impossible to access the information.
The problem is, you can't realistically have people guarding computers 24/7 throughout the year. To begin with, it costs too much. Plus, people are quite fallible. I think it was only a month ago I read a case where a security guard (the only security guard) left his post in the middle of the night to get a late night snack from McD's. Someone broke into the building while the guard was gone, and laptops were stolen.
So what can one do? Well, security generally requires layers, so that if one layer is penetrated, another set of layers will further obstruct access to the information.
Besides having a person watching over computers, companies can do the following to minimize the risks of a data breach:
Related Articles and Sites:http://www.ico.gov.uk/upload/documents/library/data_protection/notices/mcr_city_council_undertaking.pdfhttp://www.ico.gov.uk/upload/documents/pressreleases/2009/manchester_city_council_undertaking190609.pdf