Losing Personal Info On A Laptop Could Get You Charged

E5Rebel writes "The UK's data protection watchdog has called for legislation that would punish corporate or government officials with access to the public's personal data ... who lose it. Unencrypted laptops with this personal information which are lost or stolen will see their owners facing criminal charges. 'HM Revenue and Customs is among the organisations that have recently suffered high profile data security breaches as a result of laptops being lost or stolen. The HMRC laptop containing taxpayer data was encrypted - but other organisations have often failed to encrypt their machines.'"

Good idea

[gweihir]

I think this is a good idea. Of course as soon as due diligence was used (encrypted drive, reasonable system administration, firewall, malware scanner if it is Windows), it should not be criminal anymore. But this will get people to finally think about what they have to do to ensure minimal security standards. About time.

Companies not the Employees

[pyr3]

The problem that I see with this is that government agencies (or corporations) aren't being penalized. I don't think that the employee can be blamed when the corporate policy allows the employee to have sensitive information on their laptop *and* take the laptop off-site.

Let's face it. I'm sure *a lot* of employees don't even know much about encryption software, let alone which ones to use and how they work. I don't see the sense in blaming an employee that "should have known better" when it's possible that the company didn't provide the tools/training to allow employee to know what to do.

That being said, the employee has some responsibility to bear as well. If they take it to a restaurant and accidentally leave it there, that's their fault. If the company *does* have a policy about encrypting private information and the employee doesn't follow it, then it's the employee's negligence. If the company says, "No private data offsite," and the employee leaves with it on his/her laptop. It's that employee's own fault.

And in other news...

[seanyboy]

So, The number of lost laptops is going to drop to zero, and the number of stolen laptops (stolen, no doubt by Middle Eastern gentlemen of unspecified heights) is going to go up.

If they're going to enforce anything, they should enforce encryption on the laptops. Punishing minor officials for honest mistakes is a pretty stupid thing to do.

Re:Enforcement?

[bcattwoo]

How do they propose to enforce this. I would bet damn near 100% of data breaches are self reported by the losing party. If you are suddenly going to face criminal charges I bet it will be a damn rare case where thefts actually get reported. And how will they prove that unencrypted data was present on the now missing laptop anyway?

"I admit my laptop was stolen last night, but...I...uh had just wiped the hard drive to downgrade to XP. Yeah, that's it."

Re:Holy motherboard of IT gods...

[jimicus]

You ever heard the saying "In the valley of the blind, the one-eyed man is king"?

It applies within governments as well as anywhere else. Frequently more so, as governments tend to outsource systems development to outside companies - who sometimes work with departments to turn requirements into something which can be sensibly implemented, but as often as not nod their heads and implement whatever they're told.

I can easily imagine how such a system could come into being.

• A manager who couldn't do something once because some aspect of the network was unavailable dictates that the requirements for a given piece of software include "must function offline" - which immediately implies a thick client caching some or all of a database.
  
• The team developing the product consider encrypting the data outside the scope of their product - makes far more sense for the end user to have something on their PC which does that transparently to the application. They might note this in the documentation, but it'll be a single mention buried in hundreds of pages of somewhat dry prose.
  
• The team handling desktop software management were never involved in development - they're just told to install the software. They never even notice "hey, it still works even though we're not on the network anymore" because they only run and check equipment connected to the network.
  

The developer contracted to develop the product should make more of a point that in order to protect privacy, either they don't cache data locally or some sort of encryption must be employed. But without legislation to that effect, there's no incentive to develop a policy which states "This group of people is responsible for ensuring that we comply with appropriate legislation, and all systems designs must be discussed with them".

Re:About Bloody Time

[RulerOf]

Would it not seem a bit more clever to actually punish those who actually LOSE the data?
No, it wouldn't. If I start working for the U.S. government in, say, the IRS, and I am provisioned a laptop, the machine is my responsibility.
The following are NOT my responsibility:

1. Password Complexity Requirements
2. Full Hard Disk Encryption
3. Data Stored on the HDD as Opposed to a VPN/Terminal Server
4. Data Stored on the HDD in the First Place

The previously listed items are the responsibility of the CTO or CIO of whatever business or organization that provisioned the laptop. In this case, if I were to lose the laptop that had been provisioned to me, it would be the IRS's fault, NOT mine for any resulting data breach. That doesn't change the fact that I should be severely reprimanded (or fired) for losing company/gov't property, but I should never have to be responsible for data security policies that I don't need to understand to do my job.

Re:About Bloody Time

While the GP is clearly delusional, I am not going to let your sweeping generalization go.

One cannot help but observe that the peculiar American fear of gun control - one presumes it stems from deep-rooted insecurities about power, feelings of inadequacy and the belief that a man without a gun is impotent Citezen-owned guns sure were helpful in the war of 1812 though, eh?

The problem with the US that many foreigners can't seen to grasp is that it is like many countries, but without borders. There are places that are nothing like New York City, which are much more wild than anything you'd find in the UK. Where I grew up, we have bears, wild cats, and (now recovering) wolves. You'd be a fool to go out into the woods for more than a short walk without some sort of a weapon. So, we can buy weapons. The problem then is that people take those to cities, where admittedly there shouldn't be any guns. In most cities, its quite illegal to have any gun unless you have a special permit (law enforcement, etc). Without border checkpoints however, it is rather difficult to stop guns from entering the city. When I was in Germany, the press was going nuts about a *single bear* entering German soil in the mountains. They shot it. So, I guess you can have a safe gunless society if you are willing to ruin nature. Should we be doing that in Alaska? Or should we pass gun laws that prevent even Alaskans from carrying guns? Gets a bit more complicated, doesn't it?

One good example of a relatively gun-safe nation which hasn't totally ravaged its large natural predator population is Canada. Of course, they do allow many types of guns, but the cities have remained largely safe. Unfortunately, the gun-crime rate there is increasing steadily, so its unclear if they are ultimately safer, or just behind the US. It may be a bit of both. Organized crime and gangs are growing there so that certainly won't help.