Small businesses urged to encrypt data after London sole trader fined £5,000

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.telegraph.co.uk/technology/internet-security/10336836/Small-businesses-urged-to-encrypt-data-after-London-sole-trader-fined-5000.html

Wembley-based loans company Jala Transport was hit with the penalty after
it lost a hard drive containing financial details relating to all of its
approximately 250 customers.

The hard drive was stolen from the business owner’s car while it was
stationary at a set of traffic lights in London on 3 August 2012. The
external hard drive was in a case with some documents and £3,600 in cash.

The hard drive was password protected but – crucially – not encrypted, and
included details of the customers’ names, dates of birth, addresses, the
identity documents used to support their loan applications and details of
the payments made.

The initial incident would have resulted in a penalty of £70,000 being
imposed, but the limited financial resources of the company resulted in the
penalty being lowered to £5,000. The ICO also took into account the fact
that the data breach was voluntarily reported.

“We have continued to warn organisations of all sizes that they must
encrypt any personal data stored on portable devices, where the loss of the
information could cause clear damage and distress to the customers
affected," said ICO Head of Enforcement, Stephen Eckersley.

“While the circumstances of this case are unfortunate, if the hard drive
had been encrypted the business owner would not have left all of their
customers open to the threat of identity theft and would not be facing a
£5,000 penalty following a serious breach of the Data Protection Act.

“The penalty will have a real impact on this business and should act as a
warning to all businesses owners that they must take adequate steps to keep
customers’ information secure.”

The ICO’s Group Manager for Technology, Simon Rice, explained in ablog post
that encryption software uses a complex series of mathematical algorithms
to protect and encrypt information. This hides the underlying data and
prevents any inadvertent access to, or unauthorised disclosure of, the
information.

This means that even if a device containing personal information is lost or
stolen, the information will remain secure as long as the would-be data
thief isn’t able to access the encryption key required to crack the
algorithm

“Appropriate encryption products are widely available, but it is important
that organisations understand the type of protection a particular
encryption product offers and the circumstances under which personal data
will be protected from unauthorised or unlawful access,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.