Data Encryption Software: Its Use Doesn’t Lead To Low Risk? West Sussex Council Breach Commentary.

West Sussex County Council (WSCC) has been named by the UK’s Big Brother Watch organization as the seventh worst offending authority when it comes to the loss of private data.  WSCC has cried foul, explaining that the majority of the breaches were mitigated (by, it’s implies, using appropriate tools like laptop encryption software).  Generally, I take the side of those making the accusation that someone was remiss in protecting data, but WSCC has a point.

36 Incidents Over 3 Years

How did WSCC ended up number seven on the list?  Thanks to its admission that over the 2008 – 2011 period, the council had 36 incidents where devices with sensitive personal information were lost or stolen.  Big Brother Watch, via a Freedom of Information request, found that 13 smartphones and 16 laptops belonging to WSCC were, ahem, found to be unrecoverable in that three-year period.

WSCC, of course, begs to differ.  It noted that the figure is actually 29, not 36.  Furthermore, of the twenty-nine incidents, 25 of them are considered low-risk because “either no sensitive data was lost, or the lost equipment was protected.”  The full statement mentioned the use of encryption software.
Big Brother Watch appears to have defended its position by noting that (my emphasis),

We’re looking at cases from West Sussex of things like Blackberries that were lost or reported stolen, or in some cases paper files, but I think the problem is they often assess these as low risk.

At the end of the day, I think that any case in which someone’s personal data has been lost is one case too many and there is no such thing as low risk.

I’m not sure what to make of this statement.  I had to read it over and over again.  If you accept WSCC’s protestations (and I don’t see why one wouldn’t.  I mean, why be disingenuous when BBW has the paperwork to counter their claims, assuming WCSS is trying to lead the public astray?), BBW’s statement above seems to imply that lost or stolen personal data is something other than low-risk, regardless of what type of protection was on it.

On the one hand, it sounds like BBW is saying “hey, stolen files are not low risk incidents; and lost personal data, be it sensitive or not, is not necessarily low risk just because you think its low risk.”

I assume BBW was quoted out of context, or there was some sort of miscommunication, or I misunderstood the point they were trying to make.  It’s quite clear from their report that they view the use of encryption as something to be encouraged.  It certainly doesn’t impart on one the feeling that encryption is worthless, or that it doesn’t contribute towards good security.

Furthermore, I’ve found this on their site:

It’s high time that local authorities – particularly those with social care responsibilities such as Kirklees – ensure that their policies on data security and remote working place a paramount importance on encryption.  Encryption should not be thought of as an optional policy, but rather the cornerstone of a strategy designed to safeguard and protect the personal data and privacy of local residents from data loss and theft. [, my emphasis]

Big Brother Watch is, as far as I can tell, pro-encryption.

There is Such a Thing as Low-Risk

The loss of a computer or smartphone with sensitive data does not necessarily pose the same risk as the loss of the same when protected with encryption.

You’ll notice that I used the qualifier “not necessarily.”  That’s because there are instances where even the use of encryption doesn’t mean a data breach is low-risk.  For example, let’s assume that laptop encryption was already deployed on a stolen computer that stored sensitive personal data.  Assuming strong encryption was used, that’s a low-risk incident.  In fact, there’s a pretty good chance it’s a no-risk incident (no data breach).

But, let’s add a twist: a post-it note with the password for accessing the computer was stuck to the palm rest of the laptop.  Now you’ve got a high-risk incident.  Unless the thief is illiterate (he as well as his immediate circle), you’ve got a data breach on your hands, encryption or no encryption.  I mean, you see a password, you’re going to use it.  It’s like scratching an itch: you don’t think about it, you just do it.

But, if you haven’t engaged in such a stupid move like taping your password to your laptop, the chances of a data breach are low when encryption is utilized.  It’s a low-risk situation.

Does admitting that encryption has its limitations make it less effective?  Does it chip away at its ability to lower the risk of a data breach?  Am I undermining my own position, namely that there is such a thing as low-risk when it comes to the loss of personal information?

Perhaps it does, although I’m of the opinion that it doesn’t.  Personally, I believe that admission to such weaknesses helps users of encryption learn what they should not do, strengthening data security overall.  But, let us assume that I’m wrong and carry the subject to its logical conclusion.

If the use of data security tools does not lead to low-risk, it’s only logical that data security tools not be used.  Why tack on the additional expenses (annual licensing fees, IT department time and energy, people mistyping their passwords, general headaches that come from deploying new technologies, etc.) if it’s not going to result in low-risk?

One could make the pedantic argument that while there is no such thing as “low risk” there is “lower risk”, thus justifying the use of data security tools.  For example, the use of encryption software lowers the risk of personal data being exposed, but never quite so that it can’t be considered or classified as low-risk.

But, that brings us back to my paragraph above: why use it if it doesn’t lead to tangible, practicable, or desirable results?  The point behind data security is not to just lower the risk, it’s to lower it enough that it goes into the low-risk territory.  Otherwise, you find a better way to do things.

Back to West Sussex County Council

Anyhow, coming back to the original West Sussex County Council situation: if their claims are true (and, again, I don’t see why wouldn’t be: it’d be stupid to lie at this point), BBW is at odds between what it has reported regarding the council vs. their stance on encryption.

In its report, Big Brother Watch notes that all of WSCC’s BlackBerrys were remotely wiped when the theft or loss was reported.  This implies the use of encryption.  The way you remotely wipe a BB is to lose the encryption key.  That’s already 13 devices that can be stricken off the list, bringing down the number of breach incidents to 23, per BBW’s count.  That’s enough to bring WSCC down to tenth place, assuming the eleventh involves less than 23 incidents.

Furthermore, two laptop losses are classified as “no personal data” (there are plenty labeled as non-sensitive data), which would again bring down the count, to 21 incidents.

Also, it’s noted that the majority of laptops at WSCC were encrypted by September 2010.  If there were any laptop losses after this date, chances are they would further bring down the incident count.

It looks like WSCC has reason to be protest.

Related Articles and Sites:

Comments (0)

Let us know what you think