It’s been confirmed that two laptop computers issued to the Caithness authority–in the UK–were stolen from locked offices in November of last year. Disk encryption software like AlertBoot was not installed on the computers, although these were password-protected. A total of 1,400 Caithness residents are affected.
One of the laptops was being used strictly for administrative work processing personal injury insurance claims. Due to the nature of the job, some health information was included in the laptop (supporting medical evidence). It’s been emphasized that these are not NHS (National Health Trust) records per se, but information that was submitted by the claimants.
(I guess the point is that the breach is limited to whatever information was submitted by the individuals…which should be minimal, as opposed to a situation where a NHS laptop with sensitive records goes missing, which, depending on the situation, could include everything related to a patient).
It was not mentioned what was on the other laptop; this probably signals that there was nothing of importance on it (…or maybe, so important that it can’t be revealed to the public).
The computers were stolen during a break-in. In a clear case of fixing the stable after the horses have fled, the council has decided to use encryption software on laptops, as well as installing other forms of security, in a bid to stem any similar future breaches.
The local authority’s chief executive has promised to encrypt all laptops by September 30 of this year. It appears to me that encrypting all mobile devices in the Highland council in two months is a tall order, even if one were using encryption software designed for easy deployments ; however, considering that the council has known this was a issue since November of last year, technically, it seems they’ve had nearly a year to consider their approach to this security issue.
And yes, as mentioned before, it is a case of fixing the barn after the horses have fled. It won’t do any good to the 1,400 already affected. On the other hand, if you’re confident of getting further horses, fixing the barn is required. And this being a government agency, and the job was processing insurance claims…well, these things are like death and taxes: they’ll be there as long as people and nation-states are around.
One can only hope that the council has learned that security requires on-going assessment, and will not just stop at encrypting devices and data, but will periodically review their current and future needs. Barns that require fixing today will require fixing in the future as well.
Related Articles and Sites: