Ever lost data? Do your staff realise the consequences of losing IT equipment?
This month, Heathrow Airport has been fined £120,000 after an employee lost a USB stick containing sensitive information about 60 personnel.
The USB was found by a member of the public and contained more than 1000 files. The crucial element was that the USB was not encrypted, or password protected. The ICO fine reflected this action.
Their investigation stated “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise” One of the main points mentioned was the “lack of training for staff in data protection procedures”.
Fortunately, this investigation was prior to the implementation of the GDPR so the fine was limited, had this occurred afterwards, the impact would have been much greater. Under the GDPR all devices should be encrypted if they hold data and training should be provided for all members of staff.
A similar incident occurred in a school in Kent. Data, including pupil details, were exposed when an unencrypted memory stick was lost. Rochester Grammar School (no connection!) apologised and referred itself to the Information Commissioner’s Office. They also sent out a letter to parents explaining the breach.
Just take a moment to consider the impact that this breach of trust would have on your clients and customers.
North East Lincolnshire Council were also issued with an £80,000 fine after a serious data breach where details about special needs children were lost at a school. The device was left plugged into a laptop but was stolen from site. This also reinforces the need to be aware of devices, who is watching, and walking past for example.
Make sure screens are locked and if you are accessing data that no one can see your screen.
In a more shocking example, the Crown Prosecution Service (CPS) lost a DVD. Again, the information was unencrypted and therefore they were fined £325,000. The DVD contained recordings of interviews with 15 victims of child sex abuse, to be used at the trial, so there were legal implications as well. The DVDs were sent by tracked delivery between two CPS offices, but they were not in tamper proof packaging or encrypted. They were left in reception for collection but during this time they were lost.
If an employee loses a device, for example a USB, a DVD or a laptop then the company is liable for that fine, since the GDPR, devices are expected to be encrypted.
The ICO recommend the use of encryption in their guidance https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/.
Just so you know, in general, passwords simply control access to data, encryption scrambles the data as well to make sure that if it does get into the wrong hands it is protected.
If devices are lost and they are not encrypted then heavy fines will occur, not to mention the damage to business reputation, which could have a much more far-reaching impact and possibly be more costly to your business.
We can help! Until 31st December we can offer 6 months free when you purchase a two-year encryption licence or 9 months free for a three-year licence.
Just give us a call now to discuss how you can help to protect your business, your employees and your client reputation.