Marks & Spencer was ordered by the Information Commissioner’s Office to encrypt all of their laptops. This is the conclusion to the theft that occurred last May of a laptop that contained the personal information on 26,000 Marks & Spencer employees.
The laptop was stolen from a printing firm working for M&S. It contained details on the employee pension arrangements, as well as salary details, addresses, dates of birth, national insurance numbers, and phone numbers. At the time M&S had revealed that the laptop was password-protected. However, as detailed in many previous posts, this cannot be considered protection at any level. Apparently, the ICO agrees. Otherwise they wouldn’t have instructed the retailer to encrypt all of their laptops by April of this year.
More specifically, the ICO is ordering M&S to encrypt all hard drives—apparently, including those within laptops. Not complying with the order could result in the prosecution of… well, of someone. In their press release, the ICO founded the retailer in breach of the Data Protection Act because the laptop was not encrypted. This is a very interesting finding, mostly because a lot of data has been lost over the past couple of months, virtually all of them unencrypted. One wonders if the ICO will be bringing charges against the government itself.
Anyhow, it seems that M&S got the message a long time ago. A spokeswoman for the retailer announced that they’ve been encrypting their laptops since October, when the ICO broached the subject. (She also said, however, that they were surprised by the findings and by the ruling.)
So, why did the ICO come to the ruling that a retailer ought to encrypt all hard drives? After all, if it’s protection of information that they’re looking for, wouldn’t encrypting individual files achieve the same purpose? The answer is technically, yes.
However, the onus falls upon the end-user if individual files are to be encrypted. And while I don’t mean to be disparaging towards people in general, the truth is that there is always a small number of individuals who take it upon themselves to create the conditions of a security breach. In other words, they are the weakest link in the chain (if only a stern, British woman?type could utter those words and fire people…it’d be great entertainment). Plus, there’s always the question of which files are to be encrypted, and which ones not. It’s much easier to encrypt the entire hard drive and protect the whole disk using services such as AlertBoot, and eliminating personal judgments on what is important: it makes security easier to enforce.