There have been a number of reports recently of laptop computers, containing personal information, which have been stolen from vehicles, dwellings or left in inappropriate places without being protected adequately. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
“The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information. This process hides the data and prevents any inadvertent access or unauthorised disclosure of information. Since encryption standards are always evolving, it is recommended that data controllers ensure that any solution which is implemented, meets the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197”.
Research by Absolute Software and the Ponemon Institute on the use of encryption on laptops in the corporate environment found that 56% of US business managers disable laptop encryption and only 45% of IT security practitioners report that their organisation was able to prove the contents of missing laptops were encrypted.
We therefore recommend the use of self-encrypting disks (“SED”), which are certified as meeting the current standard FIPS 140-2 (Security Requirements for Cryptographic Modules), because if the laptop or other device is lost or stolen it is a simple matter to show that all the personal information was encrypted to an appropriate standard at the time of the loss or theft, with documented whole disk encryption this is easy to demonstrate to the authorities. Take action now by clicking here to contact us for more information.
Penalties for non-compliance
In 2010, the Information Commissioner imposed a penalty of £60,000 on A4e after an employee used a laptop to work from home and it was stolen in a burglary. The laptop contained personal information on about 24,000 clients and was password protected, but not encrypted. A4e had started to roll out an encryption programme, but encryption of the laptop had been scheduled for a later date.
In July 2012, the Information Comissioner imposed a penalty of £150,000 on Welcome Financial Services Limited after two unencrypted backup disks containing personal information relating to 20,000 employees, 8,000 agents and 1.94 million customers were stolen from its access-controlled Communications Room. Since then, Welcome has undertaken a comprehensive internal review to ensure all its data/systems are encrypted.