Hard Drive Encryption To The Rescue: UK Making Data Loss Illegal.

It looks like the last six months of information security breaches have prodded the UK legislature to do something about it.  The House of Lords has decided to make data loss illegal, backing an amendment that would make anyone guilty of breaking the law if he or she “recklessly or intentionally reveals personal data on someone.”


 


There were some who wanted to make the new law applicable to government workers only, but this was dismissed by (quite logically) concluding that “if you’re a member of the public it doesn’t actually matter if it is the public or private sector that is losing your data.”  An argument that pretty much anyone can agree to.  However, the deal is not sealed yet; the House of Commons must also approve the amendment.  Hopefully, the House of Commons’s sense of urgency regarding this issue is as paramount to them as to the House of Lords.


 


If the amendment passes both houses, what does it mean for organizations in the UK?  Well, it means that they will now be forced to pay attention to their data security practices.  Initially, I thought it would be one of those laws that can’t be upheld.  After all, what’s the point of law that goes against the face of nature?  It’s not as if the new legislation can eliminate all instances of data loss—you can’t eliminate honest?to?God accidents.  However, I see what the legislators did there.  “Recklessly or intentionally” revealing personal information is not an accident, and hence grounds for the gaol or whatever is the appropriate punishment.


 


I expect that the one thing a lot of companies will rely on to ensure compliance with the law (if passed) is full disk encryption for their computers, especially if they have any laptops in the workplace.  Of course, someone would argue that setting a policy stating that sensitive data should not be stored on such machines would be the responsible thing to do; and while I agree, I’m somewhat pragmatic and realize that this is hard to control.  Plus, it’s probably a more resource-hogging way of approaching data security because it needs constant monitoring: with people downloading things left and right, who’s to say that something got saved locally that shouldn’t have been?  This doesn’t mean that such policies don’t have a place in data security.  The best way of making sure data doesn’t get leached out is to ensure that people don’t have data to leach to begin with.  But then, how would people perform their duties? (Answer: badly, with a lot of frustration and grumbling.)


 


So, again, I expect that a lot of companies will see the practicality that lies in full disk encryption like AlertBoot and take that approach for ensuring they’re not being reckless with data.  That’s because hard disk encryption is not as resource intensive.  For example, once in place, there is no way to get rid of the encryption itself unless it’s initiated by someone who has access to the centralized management console.  This is an easier way of securing data than constantly auditing what’s actually saved on each computer (and finding something was overlooked while reconstructing the contents after a theft).



Comments (0)


Let us know what you think