Keep that data safe... or else
Posted 30 January 2008 at 10:00AM by Ian Betteridge in Internet security
You might have missed the parades and celebrations, but Monday was in fact Data Protection Day, set up by the Council of Europe to highlight data protection issues. However, what's more likely to grab the attention of businesses is the slapped wrist given to Marks and Spencer over the loss of a laptop containing personal details of 26,000 employees - a loss which the Information Commissioners Office is holding M&S responsible for.
The M&S case is doubly interesting, because not only does it concern personal information of employees rather than customers, but the company didn't misuse the information - something which you'd expect to be at the heart of any issue concerning the Data Protection Act.
In fact, though, the ICO found that by putting the data on a laptop without encrypting it, it had been at fault - making the theft of the data its responsibility. While M&S aren't being fined, they must now ensure that all their laptop hard drives are encrypted.
The lesson for business is simple: when handling personal data, whether from your employees, customers, or anyone else you need to ensure that it is password protected and encrypted. This is especially true if you are allowing such data to leave the building on laptops. And simply telling employees not to put this kind of data on a laptop may not be enough to cover you under the Data Protection Act - so make sure you read the ICO's guidance on data security and the good practice guide to securing personal information (PDF download).
Tags: bt, bt broadband office, data protection, data security, laptop security, security
New feature: Rate this post!
Average rating: 0/5
Comments
2. At January 30, 2008 11:13 AM, Jim Duggan wrote:
M&S and the Government are at it.
How difficult is to look after such valuable information? But why were 26000 employee's info kept on one laptop and not on an ecrypted server that can have remote access so the only people who can access it are people who need to?
Thankfully i don't work for M&S but i can't help but wonder what will happen next.
The government try and save money by sending important info on a CD via Royal Mail who have proved to be as realiable Network Rail.
M&S should be heavily reprimanded to show that kind of lax attitude will not be tolerated.
I can nearly guarentee that the directors info weren't one of the employee's data lost!
3. At February 1, 2008 8:33 AM, Carl Lotter wrote:
Data protection laws are not being treated with enough respect. The penalties are not being implented. Are there even a set of guidelines for penalising those who breach these regulations? I think people place to much trust on those who are cleary not trustworthy and we end up having to take it all on the chin. People in the "black market" must be having a good old laugh.
4. At February 1, 2008 3:33 PM, james wrote:
As a mail order company we do not keep customer personal data on our computer for longer that 45 days. We never record customer credit card details on our computers - In fact we never receive them in the first place. Our bankers handle all this for us.
Anybody who takes personal or company data outside the business and it is lost, should be dismissed immediately.
James
Post a comment
As 14 days have passed, comments are now closed for this entry.
1. At January 30, 2008 11:04 AM, Ade wrote: