Every so often something comes along that really does change how things work and only last week this happened again, the implications are far reaching for the IT industry.
As you may be aware the Information Commissioner’s Office (ICO) has begun to issue fines over breaches of the Data Protection Act (DPA). Since there has been a large number of published data losses it cannot come soon enough for the general public.
Last week another set of fines were issue to Ealing Council at £80,000 and Hounslow Council at £70,000, you can read the full story here. What is so special about this case is that it involved the loss of two unencrypted laptops, one from each council, containing the details of around 1,700 individuals from an employee’s home. Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals. Ealing Council was found to be in breach of the DPA as it had issued an unencrypted laptop to a member of staff which is in breach of it’s own policies. This process had been established for a number of years and insufficient checks were made to ensure that relevant policies were understood and adhered to by employee’s. Hounslow Council were found to have breached the DPA as they had failed to have a written contract in place with Ealing Council, they also did not monitor Ealing Council’s procedures established to operate the service securely.
You may be wondering why this changes everything? As an outsourced IT service provider there may be occasion where you may have to remove a laptop/desktop/server from site in order to action a repair of the equipment, a normal everyday IT activity. What this could mean is that if that device is then lost or stolen while in your possession and it is not encrypted then you will potentially share equal liability for the data loss. Since that liability can include a rather hefty fine of up to £500,000, not too mention the bad press that would go with it, then the impact on your business could be catastrophic.
The question now is, what are you going to do to mitigate your risk? Please feel free to drop a comment in on this as I would love to hear your thoughts