| 14 June 2012
Recent reports that Glasgow Council is writing to more than 37,000 businesses and people, notifying them of the loss of their data – including business and personal bank details – on two laptops stolen from the council’s office last month, shows that ICO penalties are failing to hit home in the public sector, says Cryptzone.
According to Grant Taylor, UK Vice President of the European threat mitigation specialist, the data held on the laptops was not encrypted, yet it also included the bank account details of more than 6,000 people and 10,000 companies.
“Here we have another council apologising that it has put vulnerable people's personal information at risk. It seems that the penalties imposed by the Information Commissioner’s Office (ICO) are doing very little to make public sector organisations change their security behaviour until they are directly affected by a data breach,” he said.
“Senior management needs to be checking on the actual habits of its users rather than just relying on the documented practices presented by the IT department,” he added.
The Cryptzone UK Vice President went on to say that he finds himself wondering why – and for what purposes – a council representative needed to keep such high volumes of confidential personal and business data on the laptop.
If there were a valid reason for storing this information, he says, the question is why they did not think to secure the data more effectively.
No doubt the ICO – which has been notified – he adds, will determine the root cause of the breach, but it is likely to boil down to the usual reasons: a lack of user awareness, disregard for documented processes and a culture of organisational complacency.
Even if the laptop was never to be used outside of the building, says Taylor, good data protection practice requires that - at the very least - the data should have been encrypted.
“This would have protected the file contents not only in the event of equipment theft, but offered protection against any unauthorised access,” he said.
“Saying sorry is all well and good, but won't give peace of mind to the citizens – and businesses - whose data has been left exposed to potential fraudulent use. My observations here are that actions – as they always do in such situations - speak louder than words,” he added.
“In this spirit, I suggest any IT security professional reading this to pick up one of their organisation's laptops today and see what data is being put at risk in the event – as appears quite probable today – that their operation will become another crime statistic.”
| < Prev | Next > |
|---|