The Information Commissioner’s Office (ICO) has fined an organisation for a serious breach of the Data Protection Act – the first such fine to be issued under new tougher guidelines in the UK.
The security breach at Sheffield-based firm A4e happened in June 2010, after the company issued an unencrypted laptop to an employee in order to do work from home. The laptop was subsequently stolen from the employee’s house.
Unfortunately it carried personal data relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
It included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
It is understood that an unsuccesful attempt was made to access the data on the hard drive shortly after the computer was stolen. Quite rightly, A4e reported the incident to the ICO, and subsequently notified the people whose data could have been accessed.
The ICO have now fined A4e a total of Â£60,000, saying that the data loss could have caused individuals “substantial distress”, and admonished them for not putting encryption in place despite knowing the amount and type of sensitive data being held on the laptop.
And that’s the point, of course. The entire problem and the subsequent fine was entirely avoidable – if the laptop had been properly encrypted, as Information Commissioner Christopher Graham noted:
"Thousands of people's privacy was potentially compromised by the companyâ€™s failure to take the simple step of encrypting the data".
NCS have solutions available for encrypting laptops, desktops and USB drives. Prices start from around Â£40.00 + VAT for a secure USB pen drive. Please call 01706 239000 to order.
For a full report on this by Sophos Senior Technology Consultant, Graham Cluley, please visit Â http://nakedsecurity.sophos.com/author/gcluley/