in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

UK Data Protection: ICO Penalizes Telford and Wrekin Council £90,000 For Two Breaches In As Many Months

The Information Commissioner's Office (ICO) in the UK has announced it has penalized another UK body for lacking adequate controls when it comes to data security.  The fine this time is a hefty £90,000 for two data breaches in two months.  It's one of those cases that show that data encryption software like AlertBoot can only go so far in protecting organizations from themselves.

That's right, "from themselves."  You see, the problem in this case was that the council's internal processes were defective.

Default Settings Cause Breaches

The ICO's site has descriptions of the two data breaches:

The first occurred on 31 March 2011, when a member of staff working in Safeguarding Services sent the Social Care Core Assessment of one child to the child's sibling instead of their mother, who lived at the same address. The assessment included sensitive details of the child's behaviour. It also included the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.

The second breach concerned the inclusion of the names and addresses of the foster care placements of two young children in their Placement Information Record (PIR). The PIR was printed out and shown to the children's mother, who noticed the foster carers' address. The Council then decided to move the children to alternative foster care placements to minimise the effect on the data subjects concerned. [ico.gov.uk]

An investigation into the matter found that, in the first case, individual details were set to be printed automatically.  Ditto in the second case.

Who could have imagined that default settings that lead to data breaches included non-hardware items?  After all, firewalls, routers, and software need a default setting because coordinating passwords for each individual piece of equipment would be nigh impossible (hundreds of thousands of such equipment are sold each year), or at least, an attempt to individualize the default settings would too frequently run into problems; but a program that asks you whether you should print information or not?  If you work in a sensitive environment, the default should be set to "no" to everything -- "opt-in printing," if you will.

A Progression of Sorts

As I review the history of monetary penalties the ICO has handed out, it appears that there is an undergoing shift: more and more of these fines are for instances that involve something other than a laptop or other digital storage device going missing or being stolen.

Granted, there is the Brighton and Sussex University data breach that's incurred the largest penalty to date (£3250,000) and involves stolen hard drives; however, all other penalties in 2012, as seen in this DPA breach penalty timeline, involve paperwork or errant emails.

In the cases where laptops were stolen or went missing, encryption software was used to secure the data, rendering a data breach a moot issue.

It kind of makes sense: about two years ago, the ICO starts going after laptop, external hard drive, and USB data breaches and everyone takes notice.  Those who couldn't have cared less begin encrypting their data storage devices.  Consequently, I assume, the incidence rate of data breaches via "data at rest" start plummeting.  However, other incidences start to rise.  So, the ICO goes after those.

It's classical Pareto principle at work: go after the top 80% of a problem; solve.  Go after the next top 80%; solve.  Repeat as needed.

Next Stop: BYOD and Mobile Security?

As the world starts embracing the BYOD trend and the "consumerization of IT," no doubt the next looming target in the ICO's crosshairs will be companies and organizations that begin to experience a rash of mobile device data breaches.

You might say, "well, that shouldn't be.  The technological solutions for preventing those breaches from happening are already here, today."  And you're right.  Even AlertBoot is getting into the mix with a mobile security solution.

But, this is my observation: the technological solutions for preventing today's data breaches involving laptop and external hard drive and the like existed well over 10 years ago (in terms of robustness and ease of use.  Disk encryption technology has been around for well over two decades, obviously).

It's only in the past 2 or 3 years ago, though, that those who've always needed it have suddenly started exploring their options.


Related Articles and Sites:
http://www.ico.gov.uk/news/latest_news/2012/telford-wrekin-council-fined-following-disclosure-of-vulnerable-childrens-data-06062012.aspx
http://www.guardian.co.uk/government-computing-network/2012/jun/06/telford-wrekin-data-breach-fine-ico?newsfeed=true

 
<Previous Next>

Laptop Encryption Software: Stolen Laptop Breaches VA Information, 824 Affected

Password Security: LinkedIn Confirms Password Leak/Hack (Updated)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.