in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: UK Information Commissioner Can Fine Up To 500,000 Pounds

The Information Commissioner's Office in the UK has released a guideline (link at the bottom) detailing how they would impose fines to organizations that breach the Data Protection Act.  One thing that doesn't seem to get mentioned enough is the use of data encryption; however, what's important is under what context it does get mentioned.

Fines of Up To £500,000

Recently passed laws allow the Information Commissioner to give out fines of up to half-a-million pounds.  The actual fine, of course, will depend on how egregious the breach itself happened to be.  The commissioner promises to review cases on an individual basis to determine the appropriate level of penalties.

Divining The Future

The likelihood of damage or distress suffered by an individual will have to be considerable in importance, value, degree, amount or extent. The Commissioner will assess both the likelihood and the extent of the damage or distress as objectively as possible. In assessing the likelihood of damage or distress suffered by an individual the Commissioner will consider whether the damage or distress is merely perceived or of real substance.[my emphasis]

That's a lot of "likelihoods."  Consider the implications, though.  Unlike in the US, where court case after court case has noted that companies cannot be penalized for what may happen, the ICO is determined to guess (rationally) what could happen to people involved in a data breach and assign penalties.

What About Encryption?

Encryption is mentioned in the guidelines only three times.  Like I noted, though, it's important under which circumstances it's mentioned.

Examples – serious contravention
The failure by a data controller to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss of a compact disc holding personal data.

In other words, encryption is an adequate security measure, and the use of such a tool would mean the loss of a device with personal data would not be a serious contravention.  Which, I assume, implies that monetary penalties, if any, would not be considerable.

Also, consider the following:

What are the reasonable steps the Commissioner expects the data controller to
take?
The Commissioner is more likely to consider that the data controller has taken
reasonable steps to prevent the contravention if any of the following apply:

c) The data controller had appropriate policies, procedures, practices or
processes in place and they were relevant to the contravention, for
example, a policy to encrypt all laptops and removable media in relation to
the loss of a laptop by an employee of the data controller

While the use of encryption is not mentioned often (and, the last time I checked, not required per law), I'd say the above strongly imply that the use of encryption is being highly encouraged.

Consider, furthermore, all the Undertakings various companies and agencies had to sign after the ICO found them in breach of the DPA: in every single case, those organizations had to promise to protect their portable devices via the use of encryption software like AlertBoot.


Related Articles and Sites:
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf

 
<Previous Next>

Data Encryption: Health Net Sued By CT Attorney General

Nevada Personal Information Security Legislation And Encryption

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.