Skip to content

Management

Technology

Toolbox

Training

Books

White Papers

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

Data control & Intellectual Property management > security > news

November 15, 2007

Lose an unencrypted laptop and 'face criminal action'

Britain's data protection commissioner finally calls for some teeth

By Tash Shifrin

The data protection watchdog has called for criminal action against those who lose individuals’ personal data on unencrypted laptop computers.

Advert

Information commissioner Richard Thomas and his deputy, David Smith, revealed to members of the House of Lords they had called on the Ministry of Justice to make it a criminal offence “for those who knowingly and recklessly flout data protection principles” where there are serious consequences.

Smith told the Lords constitution committee that an example might be a doctor leaving a laptop containing personal details of patients in a car. It was “hard to say [this was] anything other than criminal negligence”, he said.

At present, the Information Commissioner’s Office is largely toothless in the face of serious data security breaches. In March, the watchdog issued a warning – largely a slap on the wrist – to 11 banks that dumped customer data in outside rubbish bins.

But the ICO officials told the Lords committee that stronger measures were needed and that “a blatant breach” of data protection laws should attract a criminal penalty.

Committee members pressed the ICO team, with one peer suggesting that GPs sometimes had to carry patients’ data with them and the suggestion that there should be a criminal penalty for loss of a laptop holding such information was “out of proportion”.

Thomas replied that criminal sanctions should be used where a laptop had “a lot of personal information that hasn’t been taken care of and hasn’t been encrypted”. Doctors and others carrying sensitive information on portable devices “should know the basics of encryption”, he told the committee.

The ICO was not seeking to criminalise doctors for a single incident, but where there was “gross negligence”, Thomas said.

HM Revenue and Customs is among the organisations that have recently suffered high profile data security breaches as a result of laptops being lost or stolen. The HMRC laptop containing taxpayer data was encrypted – but other organisations have often failed to encrypt their machines.

Smith also told the Lords that the watchdog body was seeking powers to inspect organisations to check whether they were applying data protection laws. The ICO was “almost unique” in not having powers to check that regulations were being put into practice, he said.

The ICO has previously put the case for inspection powers to the Commons home affairs committee.

Now read:

Round-up: Anyone seen my laptop?

Round-up: the TK Maxx data theft debacle

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

« prev article | more security news | next article »

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'Lose an unencrypted laptop and 'face criminal action' - Data control & Intellectual Property - ComputerworldUK' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received

Criminal said on Monday, 19 November 2007

I'm all for making corporations responsible for the data they posses by penalizing organizations who fail to take measures to protect their data. I would start by penalizing all the corporations using Microsoft applications. I think that is reasonable, but I am not for this law as it criminalizes individuals who may not have the power, knowledge, or intent. If you want to educate the public the best place to start is in school, not legislation.

IT Dude said on Monday, 19 November 2007

@ Criminal - we can't wait 20-50 years for that kind of education to manifest itself into mainstream practice - your health/accounts/insurance details etc are already being carried around on someone's laptop. No PC is %100 percent impregnable, so your choice of OS is moot. By popular consensus the weakest point in IT security is still the users. This legislation could go a long way to solving the problem; by putting more personal liability on the end user there is more chance of them taking better personal responsibility for our sensitive data, and by one step removed provide more incentives to educate people in the workplace into better working practices.

Dan Shappir said on Monday, 19 November 2007

While encrypting local data can be a solution, insuring that all sensitive data is properly encrypted can be difficult. Moreover, proving that all such data has been encrypted after a laptop has been lost or stolen is practically impossible. A much better solution is to simply store all data on central servers at the data center, and access them remotely via Server Based Computing: ericomguy.blogspot.com/2007/11/sbc-could-save-you-from-jail.html

Advert

WHITE PAPERS

  • Legal risks: Employee use of the internet and email
    Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.
  • Phishing for victims
    This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
  • Challenges and opportunities of PCI
    The control framework implicit in the Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance.
  • Social CRM comes of age
    Who is this “social customer”? What strategies and tools does the new breed of CRM provide to do something about this?
  • Risk Management: Protect and Maximize Stakeholder Value
    What has held organisations back from a broader adoption of risk management programs?
*