A London barrister has signed an Undertaking with the UK’s Information Commissioner’s Office (ICO). According to the agreement, Richard Dominic Preston, a Barrister-at-law, promises to encrypt “all portable and mobile devices used by the data controller, including laptops and other portable media.” Clearly, disk encryption like AlertBoot is called for.
Didn’t Know Computers Could Be Encrypted
The ICO’s Undertaking doesn’t provide too many details regarding the breach. For example, dates are not specified. What we do know is that there was a burglary at the barrister’s home. The thieves entered the premises via a window.
The computer was protected with a password but encryption software was not used. There is no mention of cable locks or other security physical security (although, truth be told, it’s very rare to find people who’ll use cable locks within their homes), except for what you might find in residential habitations: locks on doors, etc.
Most of the information on the laptop is in the public domain (produced in court); however, there were some electronic missives that were not, triggering a breach of the Data Protection Act.
The unusual aspect to the story, though, is that the barrister claims he didn’t know computers could be encrypted. And, maybe, that’s not unusual at all.
If you are a lawyer that doesn’t deal with technology issues, are not interested in technology and security issues in general, and are over the age of, say, 50…well, you could not know that computers can be encrypted. I’m not being facetious. Sure, there are those who would know, but we can’t go around stating that everybody knows.
It sounds like I’m excusing the barrister. I’m not. I’m just stating that, perhaps we could do a better job of getting the message out there. Although, if they’re not interested in technology, I’m not sure how we can reach him. I guess someone could go door-to-door, like an encyclopedia salesman from days of yore….
Private Practice = Company = You as Data Controller
This is the second example I’ve come across where a lawyer has crossed paths with the ICO and received some kind of warning. The first is the QC laptop loss from one month ago.
I remarked at the time that it appears that being a QC meant you are your own data controller: the ICO implied that the only reason it couldn’t serve a monetary penalty was because the incident had taken place prior to April 2010, when the ICO gained the ability to issue monetary penalties. (Why did I make the “QC = data controller” link? The ICO can only fine data controllers.)
Upon reflection, though, it’s most probable that the QC and the barrister above are private practitioners. If you are a private practitioner, you are your own company. Hence, you are your own data controller. And thus, you are the one signing Underwritings and (possibly) being fined.
Related Articles and Sites:
http://www.ico.gov.uk/what_we_cover/taking_action/~/media/documents/library/Data_Protection/Notices/richard_dominic_preston_preston_revised_undertaking.ashx (PDF download)