UK Police Fined For Using Unencrypted Memory Sticks 100
An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."
*facepalm* (Score:5, Interesting)
Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this? Some of them, twice even -- once for the loss of data, and again when they have to pay for it with their next tax return (admitedly, mere fractions of a pence, but it's the principle of the thing). That seems like a terribly effective method of teaching those officers not to leave sensitive data around! Far more effective, I think, then suspending one without pay or additional training how how to properly handle sensitive information.
You're not taking into account "government" price (Score:4, Interesting)
They really should have known better - the National Health Service has been lambasted on several occasions for similar data leaks and has thoroughly learned it's lesson. We are not permitted to mount unencrypted USB volumes any more.
But the encrypted drives we are required to use if we need to transfer data are purchased from a central contract - and cost us £64 ($103) for a 2GB flash unit. I'm not surprised if there is a certain reluctance amongst the police to purchase that kind of deal.
When I first saw that price I assumed they were some kind of military grade unit with a hardware encryption controller. They are not, they're just partitioned, with a custom driver in the first, plaintext, partition. So they are taking units that were probably about £5 (at the time) and making a very substantial mark-up.
Our standard advice on what to do with an encrypted drive after we're done with it is not to just wipe the key block, making the data into worthless noise, but to physically destroy it. I'm willing to bet that our friendly encrypted storage vendor thought that one up.
As you quite rightly say, there are other options. I estimated that I could knock together a solution using TrueCrypt - including all the features that the current solution has, like key escrow - and sell them for about £15 a go. You can't even *buy* 2GB flash drives at my usual retailer any more, or even 4GB units, so they'd have to put up with having 4 times the capacity. But I'd still be making a good margin - those 8GB drives are now around £5 retail. And the TrueCrypt solution has the advantage of working on every platform, not just Windows.
Re:*facepalm* (Score:4, Interesting)
Oh wait... isn't it the government who receives the payment for the fine? ;)
All this does is shift money. The government is just paying itself. It doesn't cost the taxpayer any more.
To some extent.
However, in the UK the police are funded partially through central government funds and partially through local council funds. People here pay income tax, which goes to central government, and a smaller amount of 'council' tax, which is for use on local services, police, fire departments etc.
What these fines do, in effect, is to take money that residents of the area have paid to police the local area and give it back to central government. The health service is currently fighting a similar £325,000 (over $500,000) fine.
These organisations should be held accountable for privacy breaches, but taking money away from residents and patients is not the answer.