23 Feb 2011
Cambridgeshire County Council has breached the Data Protection Act by losing a memory stick containing sensitive data, the Information Commissioner's Office (ICO) has revealed.
In November 2010 a council employee lost an unencrypted memory stick containing information pertaining to at least six vulnerable adults, which included case notes and minutes of meetings.
The device was used to store the information after the employee could not get his encrypted stick to work.
"While Cambridgeshire County Council clearly recognises the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff," said Sally Anne-Poole, enforcement group manager at the ICO.
The breach occurred shortly after the council had campaigned to promote its encryption policy, where staff were asked to hand in unencrypted devices and given free sticks to use.
"Although no specific fine has been reported on this occasion, the ICO's very public announcement still sends a powerful message to businesses of all sizes: they must act now to ensure their data and IT security measures are adequate or face reputational damage, if not a fine as well," said Chris Jenkins, head of security at Dimension Data UK.
"Traditionally, risk has been difficult to quantify and build a business case for. This has meant that – all too often – IT security has only been looked at when it is too late: after a data loss incident or a security breach," he added.
"With some simple security measures – involving people, processes and technology – the damage from such losses can be greatly reduced or even totally eliminated. Hopefully these ICO announcements and fines will convince organisations that they need to lift their game and reduce the damage data losses cause to their customers and stakeholders, and themselves."
The ICO also revealed earlier this week that the Passport and Identity Service has breached the Data Protection Act.
This news once again stands as testament to the fact that current storage security solutions for removable storage are not adequate or do not fit the way that users and organisations need to operate in order to remain efficient and productive.
Countermeasures such as complex endpoint security solutions that only allow specific USB devices or approved removable media to be used are extremely expensive and cumbersome, as well as impacting significantly on PC performance. The draconian approach of locking down all the PCs in the workplace to prevent the use of USB ports for any devices is similarly impractical, limiting productivity and preventing legitimate duplication of data for backup, testing, approved sharing and offline working.
Here, it would have been better to use a combination of strong encryption with remote management and wiping so that end users are afforded an extra level of security and protection in the event they lose a device or have one stolen from them.
Posted by: Tom Colvin, CTO, Conseal Security 24 Feb 2011
Have your say on this article
Newsletters
Latest stories from Legislation and Regulation
Latest videos
You may also like
Legislation and Regulation jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
