The Crown Prosecution Service (CPS) has been fined £200,000 for failing to encrypt police interviews about violent and sexual crimes stored on laptops that were later stolen. Some of the 43 interviews with victims and witnesses related to historical allegations against “a high-profile individual”, said UK data watchdog the Information Commissioner’s Office (ICO), which handed down the penalty. Security Experts from Digital Guardian and QA have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Luke Brown, Vice President & GM, Europe Middle East Africa India & Latam at Digital Guardian :
“This case highlights two separate failings made by the Crown Prosecution Service (CPS), both of which are inexcusable when the nature of the data involved is taken into account. The first is the failure to use any form of encryption or robust endpoint protection on the laptops in question. Numerous affordable technologies exist that can easily protect data in the event of laptop theft or misplacement, making it concerning that there aren’t already stringent policies in place regarding its use at the CPS.
The second failure relates to the security and integrity of the CPS’s own supply chain. Simply assuming that suppliers and partners have adequate protection in place simply isn’t good enough, critical customer information must be protected regardless of where it is in the supply chain, and it is the CPS’s responsibility to make sure that is the case. This can be achieved through routine audits and enforceable policies with suppliers relating to data protection policy and technology usage. We have seen numerous data breaches like this over the last year and whilst businesses and organisations often recover the stolen data, it’s the victims that continue to pay the price.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Richard Beck, Head of Cyber Security at QA :
“The CPS handles videos of police interviews containing sensitive data on a daily basis, which in itself is a big responsibility. However, many organisations like the CPS and its partnering film company are often unaware of all of the possible threats to the sensitive data they’re handling and how to protect against them. When organisation are breached, we should have a minimum expectation that our sensitive data including personally identifiable information (PII) is encrypted, therefore reducing the impact and value of the breached information.”
“As cyber security attacks become more sophisticated, targeted and persistent, organisations must ensure that employees are educated on basic IT security fundamentals. First, timely knowledge of the threats themselves. Second, how to minimise the risk of falling foul of these threats. Third, the agreed plan of action when disaster strikes. The majority of IT security incidents are down to human error, so educating employees will significantly reduce the chances and minimise the impact of your business becoming a victim of cyber crime.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.