Information Commissioner's Office demands encryption of mobile devices

Really this is very late.  How anyone can think of letting sensitive data escape into the wild because the device was not encrypted when one can buy pre-encrypted external disks, pre-encrypted USB memory sticks etc is beyond me.

When I'm working with clients I make a point of never, not ever, loading their data onto any of my own devices, and also making sure that, unless correct safeguards are in place, their data never leaves their premises in my possession.  Luckily I am not a data management organisation!  I consult on marketing and on privacy.

ComplianceAndPrivacy.Com has picked up the Eversheds e80 article onthe UKIC's demand for encryption.  A small extract says:

Demonstrating the increasing appetite of the Information Commissioner's Office (ICO) to take enforcement action, Virgin Media Limited is the latest organisation to be held to account for a breach of the Data Protection Act 1998 (DPA). The breach seems to have occurred earlier this year following the loss of a compact disc that was passed to Virgin Media by Carphone Warehouse. The disc contained personal details of various individuals' interest in opening a Virgin Media Account in a Carphone Warehouse store. 

In this instance, the ICO has not gone straight to issuing an enforcement notice (by contrast to the treatment of the Liberal Democrat Party last week), but has instead obtained a formal undertaking requiring Virgin Media to undertake certain steps to improve its security measures. The breadth of the obligation to use encryption will surprise many organisations.  

Virgin Media is required, with immediate effect, to encrypt all portable or mobile devices that store and transmit personal information. Further, the company is to ensure that any service provider processing personal information on its behalf must also use encryption software and this requirement has to be clearly stated in all contracts. We suspect that in practice not many organisations expressly state this in their contracts. Most - if they deal with security at all - will contain the generic security language contained in the seventh principle of the DPA.

One major challenge is that there is no real guidance on what is deemed to be secure, say critics of the UKIC.  "Not so," say I.  "There is nothing to criticise."

We are required by the 7th Principle to take relevant steps to keep data safe.  There is no getting around it.  Data must be secure.  Period.  So, while it's on your premises there must be access controls, and when it leaves your premises there must be access controls.  And this includes encryption when transmitting data files by email.

None of this is rocket science.  All of it is common sense.  So why do so few people use common sense?

I wonder if it has anything to do with Company Policy?

And, if it has (0.9 probability) then that policy has to be changed.  You need a real Data Privacy Policy embedded in your Human Resources Policy Manual, with disciplinary action inherent in breaches of that policy.

And you need to get wise and buy the encryption.

Or will your organisation be the next one to hit the media for having a laptop stolen?