Slashdot Mirror
Losing Personal Info On A Laptop Could Get You Charged
E5Rebel writes "The UK's data protection watchdog has called for legislation that would punish corporate or government officials with access to the public's personal data ... who lose it. Unencrypted laptops with this personal information which are lost or stolen will see their owners facing criminal charges. 'HM Revenue and Customs is among the organisations that have recently suffered high profile data security breaches as a result of laptops being lost or stolen. The HMRC laptop containing taxpayer data was encrypted - but other organisations have often failed to encrypt their machines.'"
Might make these idiots think before going out on a piss-up on the way home and taking the laptop with them, then losing it. Legislation like this - which actually takes people's privacy seriously and does something about it - is something we could use more of. And I don't normally hear myself clamouring for new law...
:|
..that a group of people who want to know more and more personal details about you, especially in the last 6 years,.. are now coming up with legislation that should help to take the privacy of people seriously.
I'm all for hardening our security systems in order to both prevent these types of accidents in the first place and to minimize the impact of such accidents in their inevitable occurences. I can't think of any reason a laptop would need to carry that sort of data, much less have it contained on the hard disk in an unencrypted filesystem.
But what I can't fathom is the animal-like need for vengeance against the poor government employees who lost the data as the result of one of these accidents. Unless we can show that the person was deliberately taking the information off-line and then staging the theft, how can we possibly in good conscience ruin this person's life just because he forgot a rule. These aren't the Queen's guards, we're talking about. These are people who work for the government (take that in any way you want).
Why are we not holding banks liable for having a system that encourages identity theft by making it as easy as stealing a laptop? Or holding wallet makers responsible for not securing wallets with anything stronger than a clasp? The reason is because we realize that there are limits to the abilities of these companies that can't be stretched much further. Government employees are mentally stretched to their breaking points. How dare we threaten them with jail time when we can't expect any more from them in the first place?
Might as well squeeze blood from a stone.
I tend not to worry too much about my personal data, but I understand why some people do. If somebody is stupid enough to loose (or get stolen) a computer with other people's data in it, s/he should have to face the consecuences. I guess at some point anybody who is given other people's personal data should have signed something, taking responsibility of their acts.
I'm not saying the punishment should be high, but just as killing someone by not being careful enough is homicide, I think this same idea should be applied in this case.
In any case, if the loss of data has been purely accidental, with no lack of carefulness by the perpetrator, there should be no punishment at all.
Tis women makes us love, Tis Love that makes us sad, Tis sadness makes us drink, And drinking makes us mad.
In the modern world, people really need to learn more about data hygiene and security. If criminal charges are what it takes for large organizations and also the general public to become more serious about the routine security of information, then perhaps this is not such a bad thing.
A couple of examples ;
My wife wanted to use my credit card (she doesn't have one) to pay the fees for a educational conference. The conference organisers had a system for collecting payment ; just email all your credit card details (in plaintext) to the secretary! She looked a bit surprised when I refused. When I explained that it would be like writing my card information on a postcard, with a postal service composed of, well, anyone, who would be at liberty to take "photocopies" of the postcard anywhere along it's journey, she was a little more understanding. (I made her telephone the person concerned instead). Perhaps if the iconography of email programs was more "postcardy" instead of "envelopy", this would happen less.
Our office VPN is secured at the concentrator by two-factor authentication. Each user is issued an RSA SecureID token. Last year, they issed the PIN correctly ; the administrator pushes a button and says "NOW" and you remember the first four digits the token is showing - and then you are only person who knows it. This year, they preset them all and mailed them out. Email, that is. In plaintext. This undermines the basic security of the system ; anyone who gains access to those emails now has a list of PINs, most people clip them to the same lanyard as their security pass, identifying the token user. Or even easier, they can do what I did, walk into the office, say "Hi there, can I have my new token...." only to be waved towards the table where they ALL sat, in named envelopes, without my ID even being checked. And this is from people who are supposed to know about information security.
Hopefully the stick of criminal penalties will be wielded diffidently. But people have to shift their perceptions ; data on paper is treated with reverence and locked in a safe, when the data on the computer is left lying around for literally anyone to get hold of. Perhaps this attitude comes from the ease with which computers generate the data in the first place ; it feels cheap and thus "disposable". Which seems silly to a person who knows that a properly managed digital signature is MUCH more secure and reliable than its paper equivalent, but is counter-intuitive to anyone else who still thinks the gold standard is a notary.
How do they propose to enforce this. I would bet damn near 100% of data breaches are self reported by the losing party. If you are suddenly going to face criminal charges I bet it will be a damn rare case where thefts actually get reported. So the statistics will show that data loss is at an alltime low and yet people will actually be at MORE risk due to the fact that companies that would have previously reported the incident and paid the couple hundred thousand for identity protection for a year or two will now keep things quite. Beyond which I also know from published studies that lost information devices have resulted in basically no known identity theft but lack of shredding (dumpster diving) and unsecured databases have led to a heck of a lot of cases.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I think this is a good idea. Of course as soon as due diligence was used (encrypted drive, reasonable system administration, firewall, malware scanner if it is Windows), it should not be criminal anymore. But this will get people to finally think about what they have to do to ensure minimal security standards. About time.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's one thing to leave the notebook running on your passenger seat and another one having it taken from you at gunpoint. What I'd expect to happen is this:
1) Create sensible security rules that should keep the data safe, even when on a notebook. Current notebooks are fairly easy to secure to the point where theft of the notebook doesn't mean theft of data. That includes, but is not limited to, choosing secure hardware and software, limiting laptop use to work, reducing user rights to the minimum for operation.
2) Train people and give them a fairly heavy "or else" to follow those rules.
3) If they follow the rules and still have their notebook stolen, no problem. If they're careless, throw the briefcase at them.
What I want to see is the government as a whole to react to the threat. Not finding a scapegoat to take the blame, sack him and go on with the same shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Here we go again, as mentioned, we are trying to enact laws that punish the wrong person(s). The fact that they have personal data on a laptop that is not physically secured is a sign that the organization that they work for is corrupt or inept. Please please please let's look at how such incidents happen, then punish the culpable, not simply state that the bag man is going to hang.
I believe that you will find that in more than 90% of such cases, the end user was following the given policies for the data they were using. We ALREADY have laws for how that data is to be treated. Breaches of those laws must be processed before we look for new laws. I cannot cite any specific regulations, but financial institutions and basic corporations now have legal requirements on how to treat privacy information. SarBox law in the US, and I'm sure that the UK has similar regulations. The fact that the information is getting 'lost' to someone in the public is not indication of criminal activity, but lax processes in the organization for which they work. Laptop theft is rampant, some would say, because they are easy to take. Often because the theft is easy, and done by someone who has no idea what is on the laptop hard drive.
So, lets just have guidance on how to process the legal side of such breeches. Find out what safeguards were in place, if they were being used, if the end user was obviously ignoring them etc. There is seldom need for new laws, simply better processes or guidelines for using what currently exists. Remember, tax evasion was used to get some mobsters? Misuse of government equipment? How about dereliction of duty? There are tons of ways to punish someone without creating new laws. I sometimes think that people would enact a law to prohibit large turds if it would stop the problems with the outdated treatment plants. Look at all the silly laws that are still on the books. Do we really need a new law that will be useless in 5 years?
Politicians and the Internet.... oil and water.
Support NYCountryLawyer RIAA vs People
If a PC (or laptop, or a server)that holds confidential data is audited and shown to be vulnerable to external attack, then this is just as negligent as leaving unprotected data open to theft and should be treated in the same way.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The problem with the whole "ignorance is not a defence" argument is that, as convenient a sound-bite as it makes, it's still an unreasonable cop-out.
No-one knows what every law in the country that applies to them says. Even if they did, many people could not understand the legalese without assistance. There have been demonstrations that show that even MPs who approve our legislation can't complete their own tax return correctly. Our own government frequently fails to follow its own laws because some official didn't know what some other official was doing — and that's their full-time job!
It may be a legal convenience to say that ignorance is not a defence, but ethically it is a very dubious principle if it isn't matched with an effective education policy that makes it a reasonable assumption that everyone should know and understand all the laws that apply to them. If you construct a system where no-one can know it, and then say that not knowing it is no defence, then you are simply criminalising arbitrarily, and that is universally the mark of a legal system gone too far.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The problem that I see with this is that government agencies (or corporations) aren't being penalized. I don't think that the employee can be blamed when the corporate policy allows the employee to have sensitive information on their laptop *and* take the laptop off-site.
Let's face it. I'm sure *a lot* of employees don't even know much about encryption software, let alone which ones to use and how they work. I don't see the sense in blaming an employee that "should have known better" when it's possible that the company didn't provide the tools/training to allow employee to know what to do.
That being said, the employee has some responsibility to bear as well. If they take it to a restaurant and accidentally leave it there, that's their fault. If the company *does* have a policy about encrypting private information and the employee doesn't follow it, then it's the employee's negligence. If the company says, "No private data offsite," and the employee leaves with it on his/her laptop. It's that employee's own fault.
So, The number of lost laptops is going to drop to zero, and the number of stolen laptops (stolen, no doubt by Middle Eastern gentlemen of unspecified heights) is going to go up.
If they're going to enforce anything, they should enforce encryption on the laptops. Punishing minor officials for honest mistakes is a pretty stupid thing to do.
Training monkeys for world domination since 1439
Why are we not holding banks liable for having a system that encourages identity theft by making it as easy as stealing a laptop? Or holding wallet makers responsible for not securing wallets with anything stronger than a clasp? The reason is because we realize that there are limits to the abilities of these companies that can't be stretched much further. Government employees are mentally stretched to their breaking points. How dare we threaten them with jail time when we can't expect any more from them in the first place?
Perhaps they should have thought of that before legally compelling me to disclose sensitive private data that could be used to ruin my life if it was abused or fell into the wrong hands?
If the situation is reversed, and a member of the public fails to follow procedures that have been shown to be too complicated for the average citizen to get right, the government has no trouble with imposing instant fines instead of allowing people to fix honest mistakes.
I have absolutely no sympathy for the government here. They make the rules. No-one is forcing them to make laws like this, and no-one is forcing anyone to work for departments with lax security. If you make a pact with the devil, expect to go to hell.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Ok... hypothetical (but realistic) situation:
What about if your job calls for you to take a laptop that you don't necessarily "want", but it's now part of your job (as a travelling salesman, a consultant, or whatever)? And what if the lunkheads who image that laptop don't bother to put any encryption or other data protection software on it? And you're not allowed to add any "unauthorized software" to help protect yourself?
Guess what? Your employer has made you the IT equivalent of a soft target.
Under the above scenario, it seems enormously unfair to become subject to criminal charges due to the negligence of your employer. Easy for all you critics to say "go get another job"... while that certainly would be the ultimate solution, that's hard to do in an economy where consolidation and right-sizing still rule the day.
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Physically losing a laptop, is not in itself a crime. The negligence aspect of containing confidential data on an unsecured device is what turns stupidity into an offence.
Securing and encrypting the drive is a job for the organisation's IT infrastructure team, not the end employee. Given that government officials are generally not the most tech-savvy people around, it seems crazy to punish them for something that should already be pre-installed on their machine when they receive it.