A laptop computer was stolen from the home of a QC in 2009. The computer contained personal data related to court cases, but the loss of the laptop was reported until August 2011, two years later. It appears that disk encryption software like AlertBoot was not used to protect the contents of the device.
Plumbers Running Amok?
There are a number of irregularities concerning this story. First, the fact that the laptop was not reported as missing immediately. According to a number of sources, the QC (Queen’s Counsel) lost her laptop in the summer of 2009; however, the breach was only reported to the Information Commissioner’s Office (ICO) on August 30, 2011, when “the last case relating to information held on the laptop was concluded” (scmagazineuk.com). The laptop contained details on people with physical and mental health issues who were involved in court cases.
Maybe I’m reading too much into this, but the suggestion seems to be that the breach came to light, not because the QC felt compelled to report it, but because someone else got involved — such as someone asking for the laptop back (assuming it was issued by a government department) or collecting back any case data.
The laptop was not properly secured — encryption software, for example, was not used — although the QC did note she kept her home’s doors locked and alarm activated. Which brings us to the second oddity.
Apparently, the laptop was stolen during the summer of 2009 while she went on holiday. The odd part is that she allowed plumbers to walk around in her home unsupervised while she went off to wherever QCs go during their breaks. I’m unable to find a reference, but I think I read an article stating that she gave them the keys to her house.
On the one hand, it sounds stupid like a stupid act. On the other hand, you can assume the plumbers wouldn’t steal anything because, if anything goes missing, they’d be the first ones to be suspected. But then, they could also point fingers at each other.
A further problem is that while the owner of the house might have been very security-conscious, the plumbers might not have been: who’s to say they didn’t complete some job over a week, and at the end of each shift left the home unlocked and unalarmed?
Fining a Person Up to £500,000
The ICO has come to the conclusion that the impact of the breach is minimal: any details in the laptop would have been revealed in court as evidence. However, a severe warning was given out:
As this incident took place before April 6 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. [news.stv.tv]
Wow. This is news to me. Based on what I’ve come to understand, the £500,000 can be fined on data controllers only. Seeing the above remarks, and the fact that the QC had to sign an Undertaking promising to properly encrypt all future portable data storage devices, I can only conclude that the position of being a QC means you are your own data controller.
Granted, it’s quite improbable that the ICO would penalize an individual by £500,000. After all, the ICO hasn’t issued a £500,000 penalty on companies that have lost data on tens of thousands of people.
However, the risk of being personally (professionally) fined to the order of tens of thousands of pounds or more — depending on the egregiousness of the data breach — is something QCs and other professionals may want to avoid.
Just to let you know, the full disk encryption package from AlertBoot goes for less than US$13 per month.
Related Articles and Sites: