Over sixty data breaches were perpetrated by the West Sussex County Council. The breaches go back to 2008, so perhaps some slack can be given to the council: it’s around that time when the general populace really started to take up and notice and look into the importance of data protection (and their tools, such as disk encryption software from AlertBoot).
Perhaps they might not have been aware of the need for protecting sensitive data (although it’d be odd — the Data Protection Act of 1998 has, presumably, been around since 1998).
16,400 Affected in 2010
On the other hand, it turns out that the loss of a USB memory stick led to the breach of personal details for 16,400 in 2010, when people in general already knew about the importance of data security.
The USB stick appears to have been recovered, and according to theargus.co.uk, the worker who lost the device “escaped disciplinary action.” Was there a good, logical reason behind this lack of action? Well, it depends. According to the West Sussex County Council, the USB device was merely misplaced “among other work-related documents.”
Without further details, it’s impossible to tell whether it was must a simple case of misplacing something or something more sinister. For example, what if someone stole the USB stick temporarily, copied the information, and placed it back among the worker’s belongings?
There were other problems:
Children’s medical reports are left in a bag that is donated to charity
The number of people affected went unrecorded in nine cases
Victims were not notified in “dozens of cases”
It comes hardly as a surprise, then, that the West Sussex County Council was criticized by the Information Commissioner’s Office as “showing a ‘poor regard'” for protecting sensitive personal information.”
The silver lining in this case is that the West Sussex County Council has already done something about the situation. According to a spokesperson, all council laptops an USB memory stick are protected with encryption software.
While the council should be applauded for making that decision, I also note that there is no mention of what policies and training was put in place to ensure that other aspects of data security are covered.
For example, what have they done to ensure employees do not copy sensitive data to personal devices which may not necessarily be encrypted?
It must be remembered that data encryption tools, while important, efficient, and easy to use, are meant to complement a number of encompassing security practices.