UK Fines Group For Lost Laptop As US Gov't Keeps Losing Laptops Itself
from the nice-work dept
Just as we find out that the latest case of a lost government computer containing even more sensitive data, it appears that the UK government is taking more of a hard line on similar data losses. In the US, the law right now requires disclosure — and that’s about it. It’s become pretty standard for US companies to also offer credit monitoring — but it’s not particularly costly to lose sensitive data these days. Over in the UK, however, the Nationwide Building Society has been fined nearly $2 million for losing a laptop that included details on 11 million customers. Now can we get the US government to fine itself for all the sensitive data they keep losing on laptops?
Comments on “UK Fines Group For Lost Laptop As US Gov't Keeps Losing Laptops Itself”
lack of encryption
It’s not actually losing the laptops, it’s the fact that when they do, the laptop hasn’t been encrypted.
I’ve worked for the gov’t for thirty years, and no matter how hard you try, once an Agency gets over a couple of thousand people, keeping track of all of their equipment gets to be a really hard job.
So, as with my own Agency, you don’t try so hard to stop what you can’t, you concentrate on protecting what you know you can’t afford to lose. In other words, you not only encrypt the hard drive of all laptops, but you set up your systems so that accessing the information is done through secure, encrypted VPN connections to protected servers where the information is kept safely behind firewalls. That way, when (not if, but WHEN) a laptop is lost, there isn’t any information there to be compromised. So really, the only info you are protecting on the laptop is your network information.
You’ll never be able to stop the loss of portable hardware. You concentrate on protecting your information instead.
We’ve been doing this for over five years, now.
Re: lack of encryption
Rahrens,
I agree with you so much about protection. Its unacceptable to have any computer with information that is vital to a company, its clients, or National Security.
There is no reason that this type of information should go unencrypted these days especially by government agencies.
Rahrens stated it well. I work for a small company were we use real production snapshots of our database for development, and hence we have sensitive data. We use multiple levels of encryption to protect this data. If we were larger we would probably want to generate fake data for most development (throwing out the encryption would speed our development systems), but we would still need to use real snapshots for the final QA.
As for the UK Fine, 2 million is nothing compared to the cost of credit monitoring for 11 million customers, even if there are significant discounts over retail prices for the service.
Granted credit monitoring isn’t a requirement, but I think a simple fine might make the company wring their hands and say they paid the fine and they’re done instead of providing the customer with at least some remediation.
Re: Re:
Shit you’re right – I saw the new this morning and thought ‘fekkin A – they’re doing something about it at last’
But you’re right this probably is the cheaper option
Problem is if you state “and you must do credit monitoring” in a sentence hearing, most copmpanies would just go with some bare minimum monitoring and say they had complied (I always wonder exactly how far companies go at the moment)
The other problem with the alternative higher penalties especially against institutions like banks is you could damage their performance, which in the end would probably hurt the very customers whom you are trying to protect
No idea what the solution is in all honesty
I’m with Charlie on this one. If a fine becomes the punishment then most companies will just pay it and move on to the next data loss. As he points out credit monitoring for all those customers will probably cost more than the fine itself, making the fine a slap on the wrist.
And remember that free credit monitoring from the company that lost your data does not gaurantee that the shop/store/site where your lost/stolen was used will copoerate with you on repaiment.
Fine and Dandy
That’s great for the private companies, but what about the government?
If they made such a law, who would pay for the credit monitoring? The American people, through taxes.
What kinda laptop's are they losging here?
Who collects the fine? What would it be used for?
Give that 2 million dollar fine to 11 million customers… that is 20 cents each. Wow… seems pathetic.
I think the fine should be high enough to make the company want to actively protect data as opposed to just waiting until something bad happens and paying the one time fine.
How the heck are they losing laptops?
I can understand forgetting your jacket in a restaurant, but how do people keep losing laptops? Maybe it’s just me, but if I’m responsible for taking care of a piece of hardware that costs a few thousand dollars and has sensitive data on it, I’d keep my eyes on it. Maybe if they fired anyone whose laptop went missing, people might be a little more responsible. And maybe if companies issued some cool-looking watches to their employees that made a buzzing sound if they got more than twenty feet from the laptop, they’d have even less of a problem. I know you’d say “people would want to wear their own watch,” but if you knew you were going to get fired for losing the hardware, I think that’d be a pretty good argumet to wear the issued one.
Re: How the heck are they losing laptops?
Its in the article – it was stolen from his house
Thats how a majority of laptops go ‘missing’ regular burglaries where the theif opens up your trunk/house/office and comes across a laptop…
so no, flashy watches aren’t going to help – only proper security of the data in the first place will
I agree with encrypting the files, but there should be some reprecussions for losing data. As stated depending on the size of the company some of these fines won’t hurt them. Why is it when CEO’s lose money for a company that even when they get fired they get a fat check. People’s heads need to roll. If a person quit or was fired and then the person who was in charge of getting the equipment back should be fired, what the hell are we paying them for if they can’t even do their jobs. If a department continues to lose data then the manager should be fired, and up and up you go. This tactic would hopefully work for government positions because fining them would only take away from the same people the loss was hurting. We need to start individualizing the faults as much as possible. Big Corporation should be fined at the very least a few thousand for each persons data they lost if it is because of the CEO there should be a clause in their contract that says that problems like these would be deducted from their salary, why the hell pay them 10 million a year when a single fine caused by their actions would cost the company millions over probbably several years.
I agree with encrypting the files, but there should be some reprecussions for losing data. As stated depending on the size of the company some of these fines won’t hurt them. Why is it when CEO’s lose money for a company that even when they get fired they get a fat check. People’s heads need to roll. If a person quit or was fired and then the person who was in charge of getting the equipment back should be fired, what the hell are we paying them for if they can’t even do their jobs. If a department continues to lose data then the manager should be fired, and up and up you go. This tactic would hopefully work for government positions because fining them would only take away from the same people the loss was hurting. We need to start individualizing the faults as much as possible. Big Corporation should be fined at the very least a few thousand for each persons data they lost if it is because of the CEO there should be a clause in their contract that says that problems like these would be deducted from their salary, why the hell pay them 10 million a year when a single fine caused by their actions would cost the company millions over probbably several years.
Being responsible for data/property
In a former life, I was in charge of securing VITAL confidential/proprietary clinical trials data and other sensitive documents for a medical/bio-tech startup company. The research probably cost several million US$$$ & more than a few years of time. Away from the office(s), I carried the data in a large briefcase that I NEVER let out of my site or beyond a few feet out of my reach unless I handed-it-off to another trusted employee.
Once, going out to dinner at a swanky restaurant with a group of coworkers & the new VP of Ops, the new VP suggested that I should just leave the briefcase in my car (he knew what was contained inside the briefcase). I said, “no thanks”. At the time I was only a lowly Admin Asst, but there was no way that I would leave that valuable property on which the whole entire future of the company was based in an unattended car outside of my direct control and subject it to possible theft/loss.
Contrary to popular belief, the trunk of a car is NOT a secure/concealed storage environment….especially when you don’t know whom might be watching you stash something there before your leaving the car.
I was brought-up by my parents to respect and take responsibility for myself, my job, and whatever is entrusted to me. Apparently, that VP wasn’t. Along w/the new CEO, the pair of them promptly bankrupted the company…..after handsomely lining their own pockets, of course.
Nowadays, we are breeding a culture of carelessness/carefreeness and shirking responsibility is encouraged, or at least is not effectively penalized.
Organizations & employees, as well as gov’t & society are simply too lax in their attitudes toward protecting property/data both inside & outside of the office environment.
Good Luck!!
oops...
EDIT: (1st paragraph)
I meant *sight* , not “site”. ;>