Information Commissioner Offers Advice – and a Warning – on the Use of Encryption

But according to a new blog post on the ICO website, “data controllers are still not addressing the problem.” Simon Rice, group manager, technology at the ICO aims to provide “a useful insight into how encryption works and the encryption options available to you and your organization to help you keep personal information secure.”

He stresses that password protection is not encryption. He describes the difference between file encryption and full disk encryption. He stresses that crypto keys need to be protected and distributed in a secure manner. But he does little more than this. The reality is that he seems to be describing personal use of encryption for personal data on personal devices – when the real problem is corporate loss of control over personal data.

This has not been lost on Dave Anderson, senior director at Voltage Security. “Our observations,” he says, “are that an over-arching data protection framework is the only viable solution if businesses want to ensure that all of their data remains protected and private anywhere it moves, anywhere it resides, and however it is used.”

Anderson fears that in trying to cover a wide-ranging subject in a single piece of advice, the ICO falls between two stools: too simplistic for organizations, and too confusing for consumers. For example, Anderson commented, the ICO notes that smartphones and tablets can store a large volume of data – which is spot on – but then ignores how data can be protected on those devices, and moved securely onto and off the devices against a backdrop of a bring-you-own-device workplace.

The problem is that in a corporate environment users are accustomed to moving data around, both between colleagues and between devices. Unless the encryption process is simple and automated, there will always a tendency for users to by-pass the process for the sake of efficiency. An encryption policy therefore needs to be set and enforced at the organization rather than the personal level. It is, after all, the organization rather than the user that will be fined by the ICO for any failure.

Data protection “is the employers’ obligation to both their customers, whose data it holds under confidentiality agreements, and their employees, whose personal and sensitive data is legally bound to be protected,” said Guy Bunker, SVP products at Clearswift in an email comment to Infosecurity. But it’s complicated. “In order for encryption to have an impact, it must  be enforceable in multiple places; a multifaceted implementation across the business would seal the data inside the confines of the network on an adapted (or bespoke) ‘need to know’ basis.”

“Using encryption tools effectively requires an understanding of both how and why they work,” he says.

But it’s worth the effort. As Rice notes, “the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn’t used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people…”

What’s hot on Infosecurity Magazine?