NHS lost laptop leads to refreshed discussion on device location and security
This week's news about the NHS losing a laptop with a suspected eight million records on it has once again raised the issue of security on removable devices.
While hardly a new issue, three of the Information Commissioner's Office (ICO) fines have been issued over lost laptops (to Ealing and Hounslow and A4E). The storage of eight million records on one unencrypted laptop raised many eyebrows.
Mick Gorrill, former head of enforcement at the ICO and now consultant at Field Fisher Waterhouse, said it is ‘inconceivable' that a laptop or USB stick would be unencrypted in this day and age.
The news also follows a recent discussion in Parliament where Keith Vaz, MP for Leicester East, asked John Thurso, MP for Caithness, Sutherland and Easter Ross, how many cases of theft from the parliamentary estate were reported in each year since 2006 and what the items reported stolen were.
Thurso revealed that between 2006 and 2010, six laptops were reported stolen, but so far in 2011 25 laptops have been reported stolen along with two ‘computers'. A Freedom of Information Act request from a year ago from the Ministry of Defence (MoD) found that 340 laptops were lost between 2008 and 2010, with less than half containing encrypted data.
Stephen Midgley, vice president of global marketing at Absolute Software, said that specifically with regards to the parliament case, what is interesting is that theft has increased year over year begging the question about premise security and what was stored on those mobile devices.
He said: “Have constituents' personal information been exposed? Were Government documents exposed? What is Parliament doing to eradicate such theft and what actions have been taken to ensure the data on these stolen devices does not fall in harm's way?”
“When a laptop is stolen, an organisation's first and most immediate concern must be the data stored on the device. The faster an organisation can react to the loss, the quicker it can mitigate the risk to both itself and, more importantly, to its customers.”
Specifically with regards to the NHS case, Midgley said what concerned him was the time lag between when the device was lost and when the police were informed. “This will be certainly disconcerting to the 8.63 million people whose data may be exposed. In this age of mobility, it is a business necessity for organisations to have complete visibility into all of their devices, where are they, what is on them and most importantly, be able to take action when a device is lost or stolen,” he said.
“In such instances, action must be quick and decisive. Organisations do not have the luxury of days to contemplate next steps. Their primary concern must be data protection/retrieval and the secondary concern has to be how the device was lost or stolen in the first place.”
Benjamin Boulnois, UK manager of endpoint protection vendor DigitalPersona, said that the proliferation of devices these days multiplies the number of vulnerabilities that an organisation faces.
He said: “Encrypting centrally-held data is useless if the same information is allowed to exist on devices, such as laptops and mobiles, which can easily be lost and stolen. Encrypting the full disk on a laptop is the easiest way to accomplish encryption.
“While this applies to any organisation, it is especially true for healthcare providers, who deal with extremely sensitive, personal and confidential patient information such as medical records. Data must be protected wherever it resides.”
Don Smith, VP of engineering and technology for EMEA at Dell SecureWorks, said that the NHS incident shows the importance of protecting data and applying basic data protection principles.
He said: “People at all levels within an organisation need to understand that a data loss or breach will have consequences for them, their employer and of course the individuals whose information has been lost and potentially obtained by those with criminal intent.”
Gorrill said that in the event of a data breach, a local authority has to inform the ICO, while it is different for the private sector. He said: “The ICO is interested in harm or distress to individuals; you should put technologies in place to protect data subjects. It is best to be upfront with the ICO and my advice is to tell them early even if you are not aware of the circumstances, as not telling the ICO will only increase a penalty.”
Smith said: “Often, companies wait until they have been the victim of a data loss event before ensuring they are fully protected. However, legislative measures such as PCI DSS, Sarbanes-Oxley and Basel II provide essential legal guidelines for organisations to follow and ensure data assets are protected.”
The reports about the NHS ‘losing' the laptop are fairly vague and there is still every possibility that it may reappear. What this case has proved though is the need to know where your data is, wherever it resides, and how it should be secured. If it is not secure, it is not just the bad press that you need to be concerned about.