Barnet council discovers 9000 reasons to encrypt data

The theft of the encrypted laptop – along with 20 unauthorised and unencrypted CDs plus USB sticks – resulted in the childrens' details, which included names, dates of birth, addresses, free school meals eligibility and school attainment records, also being stolen.

The recording of the data in an insecure format was in breach of security policies, said the council, although officials are claiming it was a random, not a targeted, raid and, as a result, there is a low risk that there will be any impact on individuals whose data was lost.

Council officials say that the lost data relates to children who were at a Barnet school in Year 11 over the past three years, aged between 15 and 18.

The theft incident took place around two weeks ago. Since that time officials have been working to contact parents and undertaking a full risk assessment to identify any child protection issues that this breach may have created.

Parents have all been notified, says the council, and a `questions and answers' report has been posted to the council's website.

Barnet council chief executive Nick Walkley, who apologised to those affected, said in a press statement that the incident was a clear breach of the council policies and the member of staff concerned has been suspended.

"We believe the risks attached to this data breach are minimal and the council has taken steps to minimise the risks still further. The council works to help and support children and young people every day and we take these duties extremely seriously", he said.

Infosecurity understands that the council has been in touch with the Information Commissioner's Office (ICO) and that other agencies were notified about the theft soon after it occurred.

Industry reaction to the data loss has been constructive, with Ewen Anderson, managing director at IT consultancy Centralis, saying that, if information security is left up to members of staff to remember to apply encryption to laptops and USB sticks it will inevitably fail, regardless of the good intentions of organisations or their staff.

"Successful security must be policy based and enforced by default – with exceptions either prevented or properly tracked" , he said.

"Keeping data securely within the datacenter rather than allowing it to be downloaded and locally stored remains the best option for any organisation trying to stay out of the press and on the right side of the ICO", he added.

Infosecurity notes that the council – although the affected parents may not agree – was probably fortunate that the incident did not occur after April 6, when new penalties of up to £500 000 can be imposed by the ICO's office, in cases where the organisation is found to be in serious breach of the Data Protection Act.

Jamie Cowper, European marketing director with data encryption firm PGP Corporation, said he's positive about the new penalties, and noted that the ICO, which has long demanded greater powers, will be able to severely punish those in serious breach of the Data Protection Act.

"For too long, organisations have continued to ignore the warning signs – risking both the privacy of their customers and the reputations of their brands", he said.

"The addition of a £500,000 fine, on top of the overall cost of a data breach should in theory provide enough of a financial deterrent for organisations reluctant to invest in their security strategies", he added.

According to Cowper – as PGP's research has shown that as a high percentage (70%) of UK organisations suffered a data breach in the last year – it is clear that the ICO is going to have to couple this new policy with a fresh awareness campaign if organisations are to truly recognise the financial sense of investing in proven technologies, such as encryption.

"Organisations would be well advised to act sooner rather than later, otherwise they may face the daunting prospect of being the first to suffer punishment from an ICO eager to demonstrate its new powers", he noted.

What’s Hot on Infosecurity Magazine?