The latest two laptop data loss incidents in the educational sector – details of which were given by the Information Commissioner’s Office on October 5 – are slightly different from the usual data loss censures by the regulator, says SecurEnvoy. But, the tokenless two-factor authentication product company says, both incidents occurred in educational organisations where staff really should have known better when it comes to encrypting personal data.
Yet, despite this – and the fact that one of the laptops actually had encryption software installed on it – the breaches still happened. <br><br>According to Steve Watts, SecurEnvoy’s co-founder, while both educational organisations should have known better, the fact that these laptop breaches actually happened suggests that there is a sizeable gulf between security theory and practices relating to IT systems when it comes to day-to-day usage. <br><br> <br><br>“The ASCL incident – in which a laptop containing sensitive information was stolen from an employee’s home – is particularly interesting, as the computer reportedly had encryption software installed, yet the decision on whether to encrypt specific files was effectively optional, as I understand it,” he said.<br><br> <br><br>“This tells us a lot about the gulf between the theory and the practice in that organisation. Security, as all professionals know and understand, should not be optional, but mandatory, so whoever installed that software – or interpreted the ASCL’s security policy as they did – is probably now feeling the wrath of management, but I think this incident reveals that the technology designed to enforce security policies not only needs to be bullet-proof, but also very easy to use,” he added. <br><br>The SecurEnvoy co-founder went on to say that, when he and Andy Kemshall formed the company way back in 2003, they had a firm idea of developing a security authentication system that was so easy to use that anyone that operate a mobile phone could also use the SecurEnvoy security platform. <br><br>Eight years down the technology turnpike, he explained, and the company has users of its technology on all five continents – and those users probably don’t think twice when using their mobile phone as a means of authenticating themselves to a central resource and across the internet. <br><br>Despite what some IT professionals claim, he says, effective security is not rocket science, but is more about simple-to-use and transparent technology that “just works,” leaving people to get on with their regular business. <br><br>Had security – such as tokenless two-factor authentication – been in active use on the ASCL laptop stolen from the employee’s home, then it is almost certain that the censure by the ICO would not have happened, according to the IT company. <br><br>Coupled with the fact that Holly Park School in Barnet – where the second laptop containing unencrypted data was stolen – did even not have a data protection policy in place at the time of the theft, this again highlights the differences between IT security theory from a management perspective, and the reality at the sharp end in the school’s classrooms, according to the IT firm. <br><br>“Yes, it’s always a shock when a laptop containing business information is stolen, but it’s a lot easier to pick up the pieces after an incident if you know the data on the machine is encrypted and cannot therefore be read by the thief – or anyone else handling the stolen computer,” he said.<br><br>“Questions are obviously being asked in both organisations and, as the dust settles on the ICO rulings on these incidents, systems and procedures will introduced – and/or tightened up – but without easy-to-use technology being available to staff on the ground, then these sorts of incidents will happen again and again in other organisations, and the ICO’s office will never be short of business,” he added. <br><br>“That may make for good headlines in the IT media, but it isn’t good for the staff at the sharp end, who are left to implement draconian security policies with the technology equivalent of blunt instruments.” <br><br>For more on the ICO’s latest educational data loss rulings: http://bit.ly/phVlnk
Two organisations have taken action after they breached the Data Protection Act by failing to encrypt personal information on laptops that were later stolen, the Information Commissioner’s Office (ICO) said today.
The Association of School and College Leaders (ASCL) breached the Data Protection Act in May 2011 when a laptop – containing sensitive personal data – was stolen from an employee’s home in Yorkshire. The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health.
In a similar incident, Holly Park School in Barnet breached the Act when an unencrypted laptop was stolen from an unlocked office at the school on 1 May. The device contained details of pupils’ names, addresses, exam marks and some limited information relating to their health. After investigating the breach the ICO also discovered that the school had no data protection policy in place at the time of the theft.??Acting Head of Enforcement, Sally Anne Poole said: “The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily. We are pleased that the Association of School and College Leaders and Holly Park School have taken action to make sure the personal information they collect remains secure.”
Both organisations have now taken action to make sure the personal information they handle is protected. This includes ensuring that portable devices used to store personal data – including laptops – are appropriately encrypted. Both organisations will also introduce adequate checks to make sure their employees are following policies and procedures governing the secure use of personal information.
