Rochdale Metropolitan Borough Council has been reprimanded by the UK’s Information Commissioner’s Office (ICO) for the loss of a USB drive. The device contained personal information and was not guarded with data encryption software like AlertBoot.
The missing device contained names, addresses, and council payment details. Bank account details and other data were not included. The information was used to “compile the council’s financial accounts” according to publicservice.co.uk.
A subsequent investigation by the ICO also found that the council had failed on many fronts when it comes to data protection. As stated previously, the encryption software was not used to secure the USB memory stick. As it turns out, the USB device was given to out to its staff, so the council has no one but itself to blame for the breach.
Furthermore, it was revealed that employees did not receive adequate data security training. Rochdale Council has until March 2012 to implement promises as detailed in the Undertaking they signed.
The council is already using encrypted USB sticks, according to rochdaleonline.co.uk.
Too Little, Too Late
Did you know that the ICO does not have the power to perform audits? It can audit central government departments, but other sectors, such as the NHS and the private sector are off-limits. Local government, such as the Rochdale Council above, are off-limits, too. This despite the fact that most breaches come from these areas.
You can expect the “breach first, encryption second” scenario playing out as long as nobody’s overseeing the situation.
Related Articles and Sites: