Losing Personal Info On A Laptop Could Get You Charged 199
E5Rebel writes "The UK's data protection watchdog has called for legislation that would punish corporate or government officials with access to the public's personal data ... who lose it. Unencrypted laptops with this personal information which are lost or stolen will see their owners facing criminal charges. 'HM Revenue and Customs is among the organisations that have recently suffered high profile data security breaches as a result of laptops being lost or stolen. The HMRC laptop containing taxpayer data was encrypted - but other organisations have often failed to encrypt their machines.'"
About Bloody Time (Score:5, Insightful)
Re:About Bloody Time (Score:4, Insightful)
However, I believe a lot of the cases where sensitive data is lost, happen because the person losing them wasn't educated enough about the risks involved and the security needed to lower the risks. In this case their employer is fully responsible and they should be held fully accountable for their actions. By paying huge sums of money to the people who's data they lost for example!
Countries should extend exisiting laws and create new ones that make this a very serious crime, as the implications of losing sensitive data can be quite tremendous to the person who's data is lost in today's world.
Re:About Bloody Time (Score:5, Insightful)
Ignorance as a defence (Score:5, Informative)
The problem with the whole "ignorance is not a defence" argument is that, as convenient a sound-bite as it makes, it's still an unreasonable cop-out.
No-one knows what every law in the country that applies to them says. Even if they did, many people could not understand the legalese without assistance. There have been demonstrations that show that even MPs who approve our legislation can't complete their own tax return correctly. Our own government frequently fails to follow its own laws because some official didn't know what some other official was doing — and that's their full-time job!
It may be a legal convenience to say that ignorance is not a defence, but ethically it is a very dubious principle if it isn't matched with an effective education policy that makes it a reasonable assumption that everyone should know and understand all the laws that apply to them. If you construct a system where no-one can know it, and then say that not knowing it is no defence, then you are simply criminalising arbitrarily, and that is universally the mark of a legal system gone too far.
If in doubt, do nowt (or leave it out) (Score:2)
If you're getting into a particular specialised line of business then it's your responsibility to do your homework, get advice etc pertaining to it[1]. Likewise when making a major acquisition, such as a house - and that's the mos
Re: (Score:2)
Ignorance as a defence is invalid because it's impossible to disprove it; anyone couldclaim not to know murder's illegal.
I understand why the legal system adopts the position it does. It is, like much in law, a pragmatic concession. That doesn't make the principle right, though.
As I said, if you want to adopt such a position, it is only fair to institute educational policies such that people can reasonably be expected not to be ignorant. It's interesting that you say in one paragraph that "everyone knows shoplifting is illegal", yet in the next that "anyone could claim not to know murder's illegal". Sorry, but you can't h
Re: (Score:2)
Not that gov't personnel should be allowed to bring data in the clear home with them, but we have to recognize that such a law could be grounds for gross abuse.
Re: (Score:3, Insightful)
Re: (Score:2)
Yes, because it's so much harder to lose a USB pen drive than a laptop...
Re: (Score:2)
Seems to me it would be even easier to lose a tiny little thumb drive with incredibly valuable data on it than an entire laptop... Unless it was maybe attached to them with some like of a locking lanyard/bracelet type thing. But I don't really see how moving it to an even smaller and more portable media would make it less likely to get lost.
Re: (Score:2)
What, exactly, is unreasonable about that? You wouldn't leave your wallet in plain view on the seat of an unlocked car, right? I can't understand why people find this so fucking difficult to wrap their heads around.
Re: (Score:2, Insightful)
But the better solution would be technical and prevent any ONE user for gathering personal data on more then X number of people. There is no valid reason a user should be walking around with a copy of the DB with personal data in it. If anything, it should be but on a
Management and IT policies (Score:2)
- have encrypted file systems
- password access for logging into the computer, after power-up, wake-up and screen-saver deactivate
If they are their own computers then either they should not b
Re:About Bloody Time (Score:5, Informative)
What a vague rant. Near as I can tell, you disagree with punishing people who break the law, think that when people break the law there's "no recourse", and confuse media hysteria over gun crime with the actual facts (the whole of the UK has about fifty fatal shootings per year, hardly a crime wave).
Did you actually have a point, or did you just want to rant against the English? Do you even know the difference between England and the UK? I see no reason to single out the English for UK policies.
English Law != UK Law (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Re:About Bloody Time (Score:5, Insightful)
Oh what, you don't like protection money rackets? If only there were a group of people who could protect you from injustices like that...
Re: (Score:3, Insightful)
That's a neat-sounding argument, except that only a tiny amount of the tax we pay goes into the kind of protection you're talking about, and they're not particularly effective as physical protection even then.
Shhh! (Score:2)
Re: (Score:2)
There called mercenaries or terrorists and they probably cost a lot less than most people pay in taxes.
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
They only cost less than taxes until someone pays them more and they stop protecting you.
Re: (Score:2)
Re: (Score:3, Insightful)
To respond to your point about "fine-working legislation", we are doing quite nicely thank you very much. Crime has in fact fallen, but you would never know it from the hysterical media reporting, and for that reason, crime is, alas, perceived to be on the rise. It is in fact thes
Re: (Score:2, Interesting)
One cannot help but observe that the peculiar American fear of gun control - one presumes it stems from deep-rooted insecurities about power, feelings of inadequacy and the belief that a man without a gun is impotent
Citezen-owned guns sure were helpful in the war of 1812 though, eh?
The problem with the US that many foreigners can't seen to grasp is that it is like many countries, but without borders. There are places that are nothing like New York City, which are much more wild than anything you'd find in the UK. Where I grew up, we have bears, wild cats, and (now recovering) wolves. You'd be a fool to go out into the woods fo
Good call, except. (Score:2)
Re:About Bloody Time (Score:4, Insightful)
I cannot agree. (Score:2)
The cost of identity theft is almost certainly higher. Even if only a small fraction of these result in actual identity theft the number of names lost per violation is usually in the thousands.
Remember crimes like this have tertiary costs much the same way that building a factory in a community creates more jobs that the number of people it actually hires. Fixing the damage from an identity theft can take a victim years. There is lost wages, lost
Your "identity" means absolutely nothing. (Score:2)
Think about it, someone asks "who are you." You answer to a question that 50 years ago used to be "what is your name?" YOUR NAME, not YOU. YOU are you, your name is changeable, and it doesn't really describe you. It's like asking, "Hi Joe, what are you." "Oh I'm a computer engineer." NO, that is what you do to pay the r
Re: (Score:2, Interesting)
Would it not seem a bit more clever to actually punish those who actually LOSE the data?
No, it wouldn't. If I start working for the U.S. government in, say, the IRS, and I am provisioned a laptop, the machine is my responsibility.
The following are NOT my responsibility:
The previously listed items are the responsibility of the CTO or CIO of whatever business or organization that provisioned the laptop. In this case, if I were to
Re: (Score:3, Insightful)
This means the police will be less likely to recover the laptop before the data gets discovered and sold.
Re: (Score:2)
Frankly, it's about time people started being punished for being stupid and careless. This whole "it's not MY fault" reeks of people being unable to take responsibility for their own actions. Let's up the ante and add in accomplice to fraud, as you're enabling the data theives with information...
Back to my question then. (Score:2)
I.E. one of the biggest losers of ID info is who? Yes, the government, followed closely by BANKS, which are heavily regulated by? Ahem, yes, the government. Irony at i
Re: (Score:2)
Re: (Score:2)
Unfortunately my country has become mired in the fear of terrorism. Decades of threat from the IRA and we never thought anything like that was necessary. Suddenly the people committing the crimes have funny names, languages and religions as well as funny accents and we're over-reacting left right and centre...
Somewhere it it's odd.. (Score:5, Funny)
Re: (Score:2)
Information stolen from them means loss they want to mitigate.
Coincidentally, this is to your own benefit as well.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Surely we should take intent into consideration (Score:5, Insightful)
But what I can't fathom is the animal-like need for vengeance against the poor government employees who lost the data as the result of one of these accidents. Unless we can show that the person was deliberately taking the information off-line and then staging the theft, how can we possibly in good conscience ruin this person's life just because he forgot a rule. These aren't the Queen's guards, we're talking about. These are people who work for the government (take that in any way you want).
Why are we not holding banks liable for having a system that encourages identity theft by making it as easy as stealing a laptop? Or holding wallet makers responsible for not securing wallets with anything stronger than a clasp? The reason is because we realize that there are limits to the abilities of these companies that can't be stretched much further. Government employees are mentally stretched to their breaking points. How dare we threaten them with jail time when we can't expect any more from them in the first place?
Might as well squeeze blood from a stone.
Re:Surely we should take intent into consideration (Score:5, Insightful)
Re: (Score:2, Funny)
Maybe things are different over on that side of the pond.
Re: (Score:3, Funny)
I can and do actually, when I chose not to visit your silly country.
Re: (Score:3, Insightful)
Re: (Score:2)
As I understand it, there are a few such banks operating out of Switzerland, and some in the Cayman Islands, and a few others in odd places like those. Of course, they'll charge you quite a bit for the privelege, but if you really *are* concerned about people knowing who you are, there are options.
Re: (Score:2)
Not even if you live in the UK.
Banks are liable (Score:2)
The FSA is doing precisely that. Nationwide got fined about a million pounds earlier this year. http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=417453&in_page_id=7 [thisismoney.co.uk]
I know from personal contacts that this woke the banks up pretty sharply (Nationwide are small and were the first: the FSA have told the big four that they'll get far fiercer treatm
Re: (Score:2)
In practice the big four have been quite careful, and have tended to use fairly good encryption: it's no accident that the former building societies have found things harder
Sorry, I'm not sure I follow you. Pretty much all of the big names have been caught with their pants down failing to follow even basic security procedures, such as shredding documents before chucking them in a waste bag out the back of the office or restricting employee access to privileged personal data about customers. These failings have been repeatedly highlighted by consumer advocacy groups and critical media. I'm not aware that any groups within the financial sector have a particularly good record h
Re: (Score:2)
Something *everyone* needs education in. (Score:5, Insightful)
A couple of examples ;
My wife wanted to use my credit card (she doesn't have one) to pay the fees for a educational conference. The conference organisers had a system for collecting payment ; just email all your credit card details (in plaintext) to the secretary! She looked a bit surprised when I refused. When I explained that it would be like writing my card information on a postcard, with a postal service composed of, well, anyone, who would be at liberty to take "photocopies" of the postcard anywhere along it's journey, she was a little more understanding. (I made her telephone the person concerned instead). Perhaps if the iconography of email programs was more "postcardy" instead of "envelopy", this would happen less.
Our office VPN is secured at the concentrator by two-factor authentication. Each user is issued an RSA SecureID token. Last year, they issed the PIN correctly ; the administrator pushes a button and says "NOW" and you remember the first four digits the token is showing - and then you are only person who knows it. This year, they preset them all and mailed them out. Email, that is. In plaintext. This undermines the basic security of the system ; anyone who gains access to those emails now has a list of PINs, most people clip them to the same lanyard as their security pass, identifying the token user. Or even easier, they can do what I did, walk into the office, say "Hi there, can I have my new token...." only to be waved towards the table where they ALL sat, in named envelopes, without my ID even being checked. And this is from people who are supposed to know about information security.
Hopefully the stick of criminal penalties will be wielded diffidently. But people have to shift their perceptions ; data on paper is treated with reverence and locked in a safe, when the data on the computer is left lying around for literally anyone to get hold of. Perhaps this attitude comes from the ease with which computers generate the data in the first place ; it feels cheap and thus "disposable". Which seems silly to a person who knows that a properly managed digital signature is MUCH more secure and reliable than its paper equivalent, but is counter-intuitive to anyone else who still thinks the gold standard is a notary.
Re: (Score:2)
Re: (Score:2)
Probably not. It's not like putting a snail-mail document in an envelope renders it invulnerable to interception. Any postal employee with a sufficient lack of gruntles would be able to read anything you send through the mail via a hacking technique known as "opening the envelope".
So why doesn't mail theft happen more often? Because letter carriers are penalized if they mishandle the materials
Re: (Score:2)
If you combine scruples and gruntles we could have scruntles or even gruples. Both seem to work, I'm sure employers would prefer employees with scruntles over ungrupulous ones.
It made me giggle anyway.
Re: (Score:2)
This is the UK. Typically, unless the employee is criminally negligent the liability would fall on the employer even if the employee had broken the employers rules - e.g. leaving the laptop unattended in a car.
The employer will be expected to take reasonable steps to prevent data loss as a result of carelessness of employees - typically this would mean
Re:Surely we should take intent into consideration (Score:4, Insightful)
The government department has the responsibility for making sure the systems are secure enough for the data they are processing. That includes providing encryption on laptops that process privileged data.
If the employee turns encryption off, or uses a bog standard laptop for convenience when they should have used an approved hardened laptop, then the employee should face the consequences. Too many times employees put their own convenience above the public, or try to say they are too busy to find out what kind of obligations they have when handling confidential data.
Why should we? (Score:5, Insightful)
Why are we not holding banks liable for having a system that encourages identity theft by making it as easy as stealing a laptop? Or holding wallet makers responsible for not securing wallets with anything stronger than a clasp? The reason is because we realize that there are limits to the abilities of these companies that can't be stretched much further. Government employees are mentally stretched to their breaking points. How dare we threaten them with jail time when we can't expect any more from them in the first place?
Perhaps they should have thought of that before legally compelling me to disclose sensitive private data that could be used to ruin my life if it was abused or fell into the wrong hands?
If the situation is reversed, and a member of the public fails to follow procedures that have been shown to be too complicated for the average citizen to get right, the government has no trouble with imposing instant fines instead of allowing people to fix honest mistakes.
I have absolutely no sympathy for the government here. They make the rules. No-one is forcing them to make laws like this, and no-one is forcing anyone to work for departments with lax security. If you make a pact with the devil, expect to go to hell.
Re: (Score:2)
Government is not some nebulous entity. The instant you starting thinking of it as nothing but a body corporate with crown immunity, it becomes legally and ethically invulnerable. No-one can be held accountable for anything any more, and thus there is no need to fix anything that is broken.
In reality, governments are composed of large numbers of real people, each with their own role to play and responsibility for it. It is not acceptable for senior figures who produce foolish laws to pass the buck to the
Charges for stupidity... (Score:3, Insightful)
I'm not saying the punishment should be high, but just as killing someone by not being careful enough is homicide, I think this same idea should be applied in this case.
In any case, if the loss of data has been purely accidental, with no lack of carefulness by the perpetrator, there should be no punishment at all.
Re: (Score:2)
Also, how is losing a laptop with data different from having stupid security (or a stupid security bug) on a website or server?
Re: (Score:2)
Re: (Score:2)
"Zealot" is one of these wonderful english words, that express a very strong sentiment and often cannot really be translated well. Another one I especially like is "pathetic".
Re: (Score:3, Funny)
Also can be used as verb, "to zerg", which means both forces are basically trying to stop each other and nothing moves. Sample usage: "Everybody is zerging in here."
Re: (Score:2)
Enforcement? (Score:5, Insightful)
Re: (Score:3, Interesting)
"I admit my laptop was stolen last night, but...I...uh had just wiped the hard drive to downgrade to XP. Yeah, that's it."
Re: (Score:2)
Good idea (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
Err... no. There are perfectly good, secure, disk encryption schemes available for Windows that should make it impossible for anyone to access the data (save via user incompetence).
Re:Good idea (Score:4, Insightful)
Agreed. It's not that people don't think about it; I work in IT, and we think about it all the time. But it's very difficult to actually enforce meaningful security if nobody understands the point of it. It simply gets seen as a hassle imposed by IT because they're control freaks trying to make themselves look important to the rest of the organisation. The top management doesn't care; all they hear is the hassle it's causing their Executive Directors when IT won't let them log on to the VPN while they're at the airport because they left their RSA token at home.
Unfortunately, if you set up good security and the users don't understand it, they'll circumvent it: the private key used to unlock the laptop's encrypted drive will be stored on a USB stick with the laptop, along with a sticky note with the user's password and their RSA SecureID token. So not only do people resent you when you try improve security standards, but they actively seek to undermine it. Even a single crappy password like "Wednesday1" is better than having everything you need to access sensitive data neatly packed with the laptop.
Therefore, to get proper security, everyone needs at least an intermediate level understanding of computer security. That's a massive undertaking for most organisations, where people's main job function isn't anything to do with computers. Most people don't want to understand computers at all, they just want to use them. Kind of like telephones: most people don't even consider for a moment if their phone is secure or not, and have no interest in learning how the call they make from their office phone gets from their desk to the other side of the country.
Really, before you even have a shot at putting in place meaningful, consistent security, you need a long-term commitment from all levels of management to establish and maintain strong security and train the staff to use it properly, even when it causes inconveniences. Given how much trouble we have getting people to use the records management system properly, this actually seems like a very high mountain to climb.
The possibility of being embarrassed because of data theft isn't anywhere near a strong enough motivation for most organisations. Therefore, legislation like this is probably a good move -- though I think it should apply to any organisation that collects personal information, government or not. But you have to start somewhere.
Furthermore, it shouldn't require actually losing data before there's a possibility of punishment. One should be able to report agencies and companies that aren't taking their duty of care seriously, and report them. Otherwise it's still easier for a lot of organisations to say "it won't happen to us" and only pay lip-service to information security. So, if your bank is using dubious client-side "security", report them!
There'd be a lot of short-term pain, but long term gain. It might even slow down the pace at which computers take over the world, and maybe us folk that program and administrate them can catch the fuck up with what users are expecting from it all.
Re: (Score:2)
It also applies on a bit a different level: Computers need competent administration. If users self-administrate, they need to aquire at least an intermediate level of understanding, of what their system does.
Re: (Score:2)
But, many times they -are- a bunch of control freaks trying to make themselves look important. Face it, IT and security aren't an end in themselves. They're a means. They're the support function. If that support function interferes with the mission (ie: to make money, etc.) then it's the support function that must be re-thought, not the mission.
There's negligence and there's no choice (Score:5, Insightful)
1) Create sensible security rules that should keep the data safe, even when on a notebook. Current notebooks are fairly easy to secure to the point where theft of the notebook doesn't mean theft of data. That includes, but is not limited to, choosing secure hardware and software, limiting laptop use to work, reducing user rights to the minimum for operation.
2) Train people and give them a fairly heavy "or else" to follow those rules.
3) If they follow the rules and still have their notebook stolen, no problem. If they're careless, throw the briefcase at them.
What I want to see is the government as a whole to react to the threat. Not finding a scapegoat to take the blame, sack him and go on with the same shit.
Re: (Score:2)
Make the Punishment fit the Crime (Score:2)
This would be a useful deterrent, as well as an object lesson for the "you have nothing to fear if you have nothing to hide" anti-privacy muppets.
Holy motherboard of IT gods... (Score:5, Insightful)
I believe that you will find that in more than 90% of such cases, the end user was following the given policies for the data they were using. We ALREADY have laws for how that data is to be treated. Breaches of those laws must be processed before we look for new laws. I cannot cite any specific regulations, but financial institutions and basic corporations now have legal requirements on how to treat privacy information. SarBox law in the US, and I'm sure that the UK has similar regulations. The fact that the information is getting 'lost' to someone in the public is not indication of criminal activity, but lax processes in the organization for which they work. Laptop theft is rampant, some would say, because they are easy to take. Often because the theft is easy, and done by someone who has no idea what is on the laptop hard drive.
So, lets just have guidance on how to process the legal side of such breeches. Find out what safeguards were in place, if they were being used, if the end user was obviously ignoring them etc. There is seldom need for new laws, simply better processes or guidelines for using what currently exists. Remember, tax evasion was used to get some mobsters? Misuse of government equipment? How about dereliction of duty? There are tons of ways to punish someone without creating new laws. I sometimes think that people would enact a law to prohibit large turds if it would stop the problems with the outdated treatment plants. Look at all the silly laws that are still on the books. Do we really need a new law that will be useless in 5 years?
Politicians and the Internet.... oil and water.
Re: (Score:2)
Here we go again, as mentioned, we are trying to enact laws that punish the wrong person(s). The fact that they have personal data on a laptop that is not physically secured is a sign that the organization that they work for is corrupt or inept. Please please please let's look at how such incidents happen, then punish the culpable, not simply state that the bag man is going to hang.
The summary is very clear that the charges would be against the person who lost the laptop, rather than the organization that lost it. The article seems to be slightly less clear about this, so it may not actually be the case.
Re: (Score:3, Interesting)
It applies within governments as well as anywhere else. Frequently more so, as governments tend to outsource systems development to outside companies - who sometimes work with departments to turn requirements into something which can be sensibly implemented, but as often as not nod their heads and implement whatever they're told.
I can easily imagine how such a system could come into being.
Re: (Score:2)
No, thank God, the UK does *not* have anything similar to Sarbanes-Oxley. The only real requirement we have is the Data Protection Act, which requires only that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." The law offers little or no means to identify what an "appropriate technica
let's make it illegal to get a virus, too (Score:4, Insightful)
If a PC (or laptop, or a server)that holds confidential data is audited and shown to be vulnerable to external attack, then this is just as negligent as leaving unprotected data open to theft and should be treated in the same way.
It's not actually their fault anyway... (Score:4, Insightful)
Securing and encrypting the drive is a job for the organisation's IT infrastructure team, not the end employee. Given that government officials are generally not the most tech-savvy people around, it seems crazy to punish them for something that should already be pre-installed on their machine when they receive it.
Companies not the Employees (Score:4, Interesting)
Let's face it. I'm sure *a lot* of employees don't even know much about encryption software, let alone which ones to use and how they work. I don't see the sense in blaming an employee that "should have known better" when it's possible that the company didn't provide the tools/training to allow employee to know what to do.
That being said, the employee has some responsibility to bear as well. If they take it to a restaurant and accidentally leave it there, that's their fault. If the company *does* have a policy about encrypting private information and the employee doesn't follow it, then it's the employee's negligence. If the company says, "No private data offsite," and the employee leaves with it on his/her laptop. It's that employee's own fault.
Re: (Score:2)
Re: (Score:2)
The problem that I see with this is that government agencies (or corporations) aren't being penalized. I don't think that the employee can be blamed when the corporate policy allows the employee to have sensitive information on their laptop *and* take the laptop off-site.
Corporations and government agencies are comprised of people. And it is people who do the daftest things when it comes to security. In fact, 95% or better of security problems involve the USER carelessness for the problem.
Let's face i
Re: (Score:2)
And it is especially stupid to go after the low-level employee in a matter where upper-management is dropping the ball. You're just agreeing that when a government agency or corporation blunders, there should be a legal scapegoat so that they don't 'lose face.'
We really are on the same page, except I think employees should pay the damages as well as the company. Say a maximum fine of 20% of gross annual salary of the employee to the employee and substantially higher limits for company senior management.
And in other news... (Score:3, Interesting)
If they're going to enforce anything, they should enforce encryption on the laptops. Punishing minor officials for honest mistakes is a pretty stupid thing to do.
Lost/stolen is irrelevant (Score:2)
http://www.truecrypt.org/ [truecrypt.org]
What if the loss is NOT your fault? (Score:4, Insightful)
Ok... hypothetical (but realistic) situation:
What about if your job calls for you to take a laptop that you don't necessarily "want", but it's now part of your job (as a travelling salesman, a consultant, or whatever)? And what if the lunkheads who image that laptop don't bother to put any encryption or other data protection software on it? And you're not allowed to add any "unauthorized software" to help protect yourself?
Guess what? Your employer has made you the IT equivalent of a soft target.
Under the above scenario, it seems enormously unfair to become subject to criminal charges due to the negligence of your employer. Easy for all you critics to say "go get another job"... while that certainly would be the ultimate solution, that's hard to do in an economy where consolidation and right-sizing still rule the day.
Re: (Score:2)
Re: (Score:2)
Then my understanding is that the data protection law would not place the blame on the person carrying the laptop, but on the per
sounds reasonable. (Score:2)
sounds entirely reasonable to me.
and of course, mandated encryption as well.
Laws are cheap (Score:2)
This is what is has come down to... (Score:2)
Humans lose things (Score:2)
You need to design things assuming that people will lose things.
Humans are not perfect.
Bad Idea (Score:2)
Laptop gnomes (Score:2)
2. Make Law requiring all laptops with personal data be encrypted.
3. Decrypt laptops.
4. ?
5. Send them to Prison!
That's pretty ruthless... (Score:2)