This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

UK Information Commissioner Can Fine Company £500,000

The title is not a typo.  As of April 6, 2010, the Information Commissioner's Office (ICO) in the UK can fine organizations up to £500,000 for data breaches and other forms of non-compliance of the Data Protection Act (DPA).

  • Fines From £5,000 to £500,000
  • ICO Looking To Make An Example?
  • Monetary Penalty Guidance
  • Fines Necessary

One of the ways these fines can be minimized, perhaps even eliminated, is by having adequate information security measures in place, such as laptop encryption software for any portable computers an organization is using (there are other things to do as well, obviously, besides using encryption software, though).

Maximum Fines Jump From £5,000 to £500,000

If you've been following the news, the ICO got the go-ahead to assess fines last year, and this new power becomes effective starting April 6.  I've read that the ICO had the power to assess fines of £5,000 to date, although so far most companies were let off with the signing of an Undertaking.

What's an Undertaking?  That's where the CEOs promise to improve their security measures after they had an information security breach.  In many cases, the use of encryption software on any portable devices such as laptop computers and external hard disk drives is included as part of such improvements.

Here's an example of the promises as per the Undertaking (my emphases) in one particular case involving the Alzheimer's Society, although this copy can be found pretty much on every Undertaking:

  1. Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
  2. Physical security measures are adequate to prevent unauthorised access to personal data;
  3. Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
  4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful

Like I mentioned before, data protection involves more than the use of data encryption software.

For example, if an organization does not use computers but has an extensive collection of sensitive personal information in files, they must make sure there's adequate security in the form of locking files cabinets and the like.  Yep, the ICO also looks into the security of information on printed materials.  After all, data is data.

Will The First Breaches Will Set The Agenda?

The opinion out there is that the ICO will come down hard on the first set of breaches that come its way after April 6.

The reason? For setting a standard for future breaches and penalties.  Of course, the ICO denies this, noting that the "ICO would not make an example of an organisation for the sake of making an example, it would be done on a case-by-case basis," according to a spokesperson.

In other words, the fines would be assessed depending on the situation: the nature of the breach, whether it was possible to prevent it, whether the protections in place--if any--were adequate, etc.  This is probably why there are reports that the ICO will be able to issue about 25 fines a year.

ICO Has Guidelines For Assessing Fines

Sections 3 and 4 of the "Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998" provide guidance on the circumstances under which monetary fines would be handed out, including examples.

(Among the eye-raising things about the guideline?  Under section 7.4, organizations get an early payment discount of 20% if full payment of the fine is made within 28 calendar days of the penalty notice being served.  I understand what the purpose of the discount is, but I still find it surprising: it makes it look as if the government has set up shop.)

Here's an interesting excerpt from the guideline that bears analysis:

As a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the data protection principles. It is not possible to provide specific examples at this early stage until actual cases present themselves. However, when precedents are available from either the monetary penalty notices served by the Commissioner or the decisions of the Tribunals, further guidance will be produced so that a data controller can better assess its position [Section 2, p.4; my emphases]

Perhaps I'm reading too much into the above, but it seems to me that examples will be made of for the initial companies that have significant breaches.  After all, if the government hands out too low of a fine, won't future organizations complain if their fines are higher?

Fines Perhaps Controversial, Definitely Necessary

Absolute Software and the Ponemon Institute have released a survey showing that nearly 90% of UK organizations admit to losing a laptop.  Of these 61% resulted in a data breach.

Mind you, this is three years into the numerous data breaches that rocked the UK, such as the loss of two CDs with child benefits records that affected nearly one-third of the UK's population.

Even after all these stories in the media, we find that companies have not woken up to the need for better data security.  Or rather, if you philosophize about the nature of the fines to be handed out soon, perhaps it would be more accurate to say that organizations don't feel the need for better data security: serving the customer is one thing, plunking down relatively big money for their data security is something else.

Will the fine change the behavior of companies?  It won't at first; but then, stories about sizable fines will make the round sin the media, and that will probably prompt many companies to take a second look at the data security procedures they have in place (which, I should point out, will also require the ability for a company to prove they have information security controls in place.)

Related Articles and Sites:

<Previous Next>

Hard Drive Encryption: Royal London Mutual Insurance Society Loses 8 Laptops

Full Disk Encryption, Victorinox Presentation Master, Being All Thumbs


No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.