in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Was The ICO's Fine Too Small? Or Was It Just Right?

The UK's Information Commissioner's Office first monetary penalties has left a lot of controversy in its wake.  It's kind of expected for a watershed moment.  Personally, I'm glad no one has stepped up and argued that the companies should not have been fined for not using disk encryption software.

Penalty is Too Low

Two organizations were fined.  One of them was Hertfordshire County Council, which was fined £100,000 for two separate instances of erroneously send faxes.  The other, which I covered yesterday, was A4e, which was fined £60,000 for the loss of laptop with sensitive information.

Some state, as in this argument at newstatemsman.com, that the fines are too small when compared to the maximum fine the ICO can hand out: £500,000.

Plus, compare it to the fine that the FSA handed out to a bank when its laptop got stolen:

When the Nationwide [Nationwide Building Society, a bank based in the UK] admitted to the loss of an unencrypted laptop in November 2006, the Financial Services Authority (FSA) punished it with a fine of £980,000. That despite the Nationwide insisting that the data could not have been used for identity fraud because there were no PIN numbers, passwords or account balances on it.

In that particular breach, over 11 million customer names were stored on the stolen computer.  There may have been addresses and account numbers as well.  Nationwide had not known that the information was stored on that particular laptop.

The A4e penalty pales in comparison.

Penalty is Just About Right

Others note that the ICO handed out the appropriate penalty.  Stewart at stewartroom.com notes that the nature of penalty is meant to be symbolic.

Plus, the ICO is working with a capped amount: Since the ICO knows that it's going to see worse offenders than A4e and the Hertfordshire County Council, it doesn't make sense for the Information Commissioner to reach for the maximum fines.  Stewart also delves into how larger fines could have created grounds for a legal challenge to the fines.

My Take

I'm in the "penalty is just about right" camp.  Because the ICO has to work with a capped limit, in this instance, they can't be handing out fines that are close to the potential maximum without creating weird situations in the future.

For example, let's assume that the ICO had fined A4e £250,000 instead of the £60,000.  If the UK sees a repeat of the 2007 HMRC CD fiasco -- where 25 million people were affected by the loss of two CDs -- how will the ICO explain the fact that it'll be handing out a fine of £500,000, the maximum permitted?  The A4e breach involved 24,000 people which is only 1/1000th of the HMRC figures, but the fine is only doubled?  That sends the wrong message.

On that same note, comparing a £60,000 fine with the £980,000 is not quite fair.  You also have to take into account the number of people affected.  In the A4e case, the fine amounts to £2.5 per person affected.  In the Nationwide case, the fine is £0.089 per person (that's not a typo -- that's essentially 9 pence).  Put in this frame, which of the two looks fair?

What I especially love about this entire brouhaha (I'm being sarcastic) is that people are focusing on the appropriate penalty figure, when they really ought to be discussing whether companies will improve their data security based on this latest salvo by the ICO.

I mean, isn't that what this is all about?

 
<Previous Next>

Business Laptop Encryption Missing In 60% Of Computers

Data Encryption On Tapes And Other Media When FedEx'ing Stuff: If They Can Lose Radioactive Rods...

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.