Two charities out of the UK have signed Undertakings with the Information Commissioner’s Office (ICO): Asperger’s Children and Carers Together (ACCT) and Wheelbase Motor Project. In both cases, laptop encryption software like AlertBoot was not used to protect sensitive information, resulting in a data breach when their respective notebook computers were stolen. Summaries of those incidents follow below, but first….
Non-Profit Encryption Software: AlertBoot (and Probably Others) Offers Discounts
There are substantial legal differences between non-profits and their for-profit counterparts. However, there are certain areas where the law applies equally, too. For example, the law wouldn’t treat employees at a non-profit front for the mob any differently from a for-profit that acts as a front.
Likewise, the law applies equally to both non-profits and for-profit corporations when it comes to data breaches and data security. As far as I know, this is true regardless of where you are, be it the UK, the US, Canada, Mexico, whatever.
I’m still quite apoplectic over the incident that prompted me to write up why Nevada’s non-profits need to abide by the Nevada Personal Information Security Law. In fact, I don’t see why I even had come up with that trail of proof: it’s common sense. Sensitive data is sensitive data, no matter who loses it. Why would a non-profit think that they don’t have to comply with data security regulations just because they’re not making a profit? I mean, do they also not have to follow employee-rights legislation, either?
Of course, all of the above being said, it doesn’t mean that a non-profit must also bear the same weight that a for-profit does. There are plenty of companies, including AlertBoot, that will extend a discount in its products and services to a non-profit organization.
(If you are a non-profit and are interested in AlertBoot, contact us and let us know you’re a non-profit.)
Granted, using security products probably means that you’re diverting resources into something that feels less worthwhile, especially considering your mission. However, make no mistake, a data breach affects for-profits’ and non-profits’ clients alike. I’d hate to find, for example, that children suffering from Asperger’s Syndrome also have to fend against ID theft and fraud because my organization didn’t have adequate data protections in place.
Asperger’s Children and Carers Together
ACCT reported a breach to the ICO when a computer with sensitive information for 80 children was breached when a laptop computer was stolen from an employee’s home, over Christmas. The computer held children’s names, addresses, and dates of birth.
Wheelbase Motor Project
Wheelbase reported a theft from its offices: an unencrypted hard drive was stolen, impacting 50 people. The external hard drive was used as a backup, and contained details on criminal convictions, racial background, special education needs, and child protection issues were breached as a result. The incident took place in February 2011.
Wheelbase “intends to complete encryption of all back-up devices by 4 March 2011,” per its Undertaking agreement. That’s a weird statement to be making, unless they’re implying that desktop computers and laptops were already encrypted to begin with.
If the implication is not true, then there is the other implication that backups will be encrypted while computers will not, which is quite the feebleminded decision. I’m hoping it’s a misquote due to the formatting of the Undertaking itself.
Regardless, the ICO is requiring in the Undertaking that any portable devices that contain sensitive data is properly secured with encryption.
Related Articles and Sites: