Endpoint Protection

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

The Information Commisioners Office (ICO) or the privacy watchdog has published figures on data breaches that makes disturbing reading. What’s more is that the ICO  is getting so concerned that it will be introducing fines on comapnies and public bodies that recklessly or deliberately break the rules. Fines up to half a million may be imposed on losses of information. In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before. This is what Deputy information commissioner David Smith said: “The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

Well what a surprise! But what is really interesting and scary is that there are fines coming! But I thought that if you breached the Data Protection Act then you would be fined or sued anyway. However, what is clear is that this affects all businesses; large or small; SMB or large multinationals. So Data Loss Prevention is for all organisations that have personal data stored but it is not sufficient to just use device control, the ICO is saying any data loss from any channel! So does that mean that first generation products that really only do encryption and device control will be replaced by the second generation products that provide device, IM, and all the goodies? I think this is a call to action for vendors to smarten up their act and work with others to gain functionality rather than buy and try to integrate. You can read some more here http://news.bbc.co.uk/1/hi/uk_politics/8354655.stm