The UK's Information Commissioner's Office reports has reported a breach of personal details for 2,135 people by the Royal London Mutual Insurance Society, the largest mutual life and pensions company in the United Kingdom. Nothing that disk encryption software like AlertBoot could have prevented, had it been used.
Eight laptop computers were stolen from the insurance company's offices in Edinburgh. Of those, two computers stored the information of clients' employees. The computers did not make use of encryption software, but were password protected, which is pretty much useless. An internal report to Royal London showed that the company failed in many aspects. The company "was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate," per scmagazineuk.com. Even more damning, though, is that "managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken."
Eight laptop computers were stolen from the insurance company's offices in Edinburgh. Of those, two computers stored the information of clients' employees. The computers did not make use of encryption software, but were password protected, which is pretty much useless.
An internal report to Royal London showed that the company failed in many aspects. The company "was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate," per scmagazineuk.com.
Even more damning, though, is that "managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken."
In yesterday's post, I had noted that not storing sensitive information is always the best form of data protection, in the sense that not having sensitive data means there is nothing to protect. I also noted that it doesn't work very well. The above story illustrates why. The crux of the matter lies in knowing if there's any sensitive data and, if so, where. In other words, someone or something must keep track of the information. This is easier said than done. Now, it could be that company policy prohibits sensitive information from being stored on laptop computers at all. My guess is that Royal London, being the one of the largest pensions companies in the UK, had such a policy in place--most big companies that deal with sensitive data have one, especially when they don't have adequate security, like encryption for laptops in place. Did it work? No. It almost never does--I'd like to put the figure of companies that can make it work at 1%. The problem is that most companies think they're that 1%, which clearly can't be.
In yesterday's post, I had noted that not storing sensitive information is always the best form of data protection, in the sense that not having sensitive data means there is nothing to protect. I also noted that it doesn't work very well.
The above story illustrates why. The crux of the matter lies in knowing if there's any sensitive data and, if so, where. In other words, someone or something must keep track of the information. This is easier said than done.
Now, it could be that company policy prohibits sensitive information from being stored on laptop computers at all. My guess is that Royal London, being the one of the largest pensions companies in the UK, had such a policy in place--most big companies that deal with sensitive data have one, especially when they don't have adequate security, like encryption for laptops in place. Did it work?
No. It almost never does--I'd like to put the figure of companies that can make it work at 1%. The problem is that most companies think they're that 1%, which clearly can't be.
Related Articles and Sites:http://www.scmagazineuk.com/royal-london-mutual-insurance-society-loses-eight-laptops-and-the-personal-details-of-2135-people/article/166024/http://www.insurancedaily.co.uk/2010/03/18/royal-london-faces-up-to-data-protection-breach/http://en.wikipedia.org/wiki/Royal_London