The recent theft of a hard drive from a small business owner has resulted in a significant fine and a warning from the Information Commissioner's Office (ICO). The warning was a stern reminder to business owners of their legal obligation to protect any personal data stored on portable devices.
The theft of the hard drive occurred on a London street early in August of this year. According to official reports, the business owner was carrying a hard drive in a case along with documents and cash. While stopped at a traffic light, the case was stolen from his car. While the hard drive in question was password-protected, the data on it was not encrypted so whoever stole it had easy access to all sorts of personal information.
The most troubling aspect of the theft is the fact that the business owner runs a Wembley-based loan company. The information on the hard drive included names, addresses and other information needed to process and administer loans. For his carelessness, the owner was fined £5,000. It could have been as high as £70,000 had he the means to pay it.
In his official remarks, ICO head of enforcement Stephen Eckersley was very clear in stating that his agency has repeatedly warned organisations of their legal obligation to protect customer data. In this particular case he said that if “the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act.”
No Longer an Option
In the IT world, we know how important encryption is to commercial network communications. It is something we deal with on a daily basis. Without proper security and management of customer information, it is too easy for hackers to break into computer systems and wreak havoc with the data they find.
What's more, we do not leave security entirely in the hands of mindless software applications. It requires comprehensive training as well; training in the proper deployment of security software and filling in the holes that such software is not capable of filling on its own. It takes a combination of technology and human action to ensure maximum security.
It appears that this particular case is one where the business owner had assumed the typical ‘these sorts of things never happen to me’ mindset. There is no other way to explain the transport of a portable hard drive with unencrypted data on it. As demonstrated by the theft, precious data is not even safe when it's sitting next to you in a car.
Encryption is vitally important because it is usually the last line of defence against data thieves. A password-protected hard drive is only effective against amateurs or petty thieves with no knowledge of computer systems however it does nothing against the professional whose livelihood depends on stealing data. Encryption makes data theft significantly more difficult to pull off.