Community Integrated Care (CIC) has signed an Undertaking with the UK’s Information Commissioner’s Office, a result of a break-in at CIC’s premises. The use of laptop encryption software like AlertBoot was not necessary, apparently, in this particular case; however, that’s not to say that sensitive data was not breached
Laptop, Router, and Printer Stolen
According to the Undertaking, the ICO was informed of
the theft of a laptop, router and printer in June 2011 from a locked ground floor office in the Newcastle area. The data controller is a national social and healthcare charity. The laptop contained personal data relating to 20 employees, it also stored limited sensitive personal data relating to 20 young service users, including name, school and abbreviated details of their physical and mental disabilities
The laptop had password-protection but was not protected with encryption software. As frequently pointed out, there is a big difference between password protection and encryption: the latter has stringent requirements with data protection in mind. The former may or may not be considered data protection (and even then, a very weak form of it).
Let me contradict myself by saying that, based on the above passage, the laptop in question most certainly did require cryptographic protection. One could argue that “personal data” does not necessarily require it, but “sensitive personal data”?
Why Wasn’t CIC Fined?
I’ve seen cases where the ICO imposed monetary penalties for the data breach of one child’s sensitive personal data. In this case, twenty “young service users” had their information breached. Why the disparity?
The punishment appears to have been softened by the fact that (a) this is a charity, with limited financial means, (b) that this was a breach prompted by outside forces, and (c) that the sensitive information fell, most probably, towards the “less controversial” end of the data sensitivity spectrum.
If you’re wondering what I mean by that last one right there…well, you’re quite right at pointing it out. All I’m saying is that there’s sensitive data and there is sensitive data. For example, a list of children’s names and their mental disabilities is sensitive data. A list of molested children who are receiving counseling is sensitive data. Yeah, I’ll admit that the classification is quite subjective. But when you consider which one causes more of an uproar if the data is breached…you get the drift.
Anyhow, the point is that ICO considers many factors before deciding to impose a monetary penalty on organizations that breach the UK’s Data Protection Act.
Just as important is the fact that I’ve never come across a case where the ICO has imposed a monetary penalty where encryption was used to protect sensitive personal data, regardless of financial wherewithal, how the breach took place, or how sensitive the stored data happened to be.
The point made by the ICO is very clear: use encryption to protect any sensitive data. The process doesn’t have to be hard, laborious, or fraught with delays: an individual, small business, large enterprise, or charitable organization can start encrypting their laptops and desktops right away with AlertBoot. Our centralized encryption is on-demand, software-as-a-service. It really doesn’t get any easier or faster than this.
Related Articles and Sites: