in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Lost Laptop Leads To £60,000 Fine By ICO

The UK's Information Commissioner handed out two fines today.  These are the first monetary penalties handed out by the ICO since the Information Commissioner gained the right to fine UK companies involved in data breaches.  Not using appropriate data security, such as drive encryption software, carries a maximum fine of £500,000.

A4e Didn't Encrypt Laptop

A4e reported that a laptop computer was stolen when a burglar broke into an employee's home.  At the time, I had noted that employees need some kind of monitoring if working from a remote location since they don't necessarily follow company policies.  I blamed the employee for the data breach.

The reason?  The BBC had reported that "training company A4e said the data was held on a personal computer of an employee which was stolen."  Today, it turns out that A4e was essentially lying, or the BBC really needs to choose its words wisely.

According to the ICO's monetary penalty notice,

[A4e] issued [the employee] with a laptop computer which did not contain any personal data but with the knowledge that it would be used for home working. The employee then loaded personal data and some sensitive personal data onto the laptop from the central secure servers. The only security on the laptop computer was password protection.

Does this sound like a personal computer to you?  I guess it does in the sense of "it was a work computer that was used by that one employee, personal to that person."  It's my opinion that most people would, in the BBC's article, assume the employee used his own, non-company-issued computer to download sensitive data.

Among other things revealed in the ICO's notice:

  • A4e had already begun an encryption program in March 2009 (the above computer was stolen June 2010), with the first roll out phase completed in January 2010
  • Someone tried to access the computer after it had been robbed
  • A4e knew that the laptop would eventually contain personal info

What's most shocking to me is that, as far as I can tell, only 1,000 computers needed encryption: only 1,000 out of a total staff of 3,250 were working from home.  I know I'm tooting AlertBoot's horn here, but our endpoint security encryption software doesn't take over three months to roll out encryption to 1,000 computers, much less 12 months.

And indeed, the ICO's notice notes that, at A4e, "encryption and port control has been rolled out to all personal computers and laptops used by the data controller to comply with its contractual obligations to the Legal Services Commission."

Funny how it takes forever for encryption to be deployed until bad things happen.

A4e Fined for Knowingly Not Using Encryption

It was often pointed out that, when it comes to assessing monetary penalties, the ICO would choose its first cases carefully since these would be landmark cases.  What can we tell from the fact that A4e was fined?

Basically what it comes down to is this: make sure that you encrypt any company computers that carry sensitive data, and don't dally in implementing it.

It's just common sense, but apparently it requires a five-figure fine to drive the point home.


Related Articles and Sites:
http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/a4e_monetary_penalty_notice.ashx
http://www.zdnet.co.uk/news/security/2010/11/24/ico-levies-first-data-breach-fines-40090970/
http://www.ft.com/cms/s/2/55bbcad2-f7f0-11df-8d91-00144feab49a,dwp_uuid=9a36c1aa-3016-11da-ba9f-00000e2511c8.html#axzz16F6twJju

 
<Previous Next>

Laptop Encryption Software Not Deployed On Prince of Wales Public School Computer

Data Security: New Biometric Technology Tracks Eye Movement Pattern

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.