Bord Gais recently announcedthat they lost the personal details of 75,000 customers on a laptop that was stolen, with three others, from one of their offices. What is very disappointing is the laptop with the details of the 75,000 customers was not encrypted. Given the huge publicity last year over the loss of unencrypted laptops by Bank of Ireland and the HSE, it is astounding that something like this should happen.
Unfortunately I am not surprised. Many companies still take an avant garde approach to the data their customers entrust to them. That information is not seen as belonging to the customer but rather it now belongs to the company and therefore they can do with it what they want. This is not so. Personal information entrusted to an organisation either by customers or staff still belongs to those individuals and the organisation becomes a custodian of that information. This is one of the key tenets of our Data Protection Act.
Lets take a closer look at the word “custodian” to see what it actually means. According to Websters a custodian is “one that guards and protects or maintains ; especially : one entrusted with guarding and keeping property or records or with custody or guardianship of prisoners or inmates” (emphasise mine).
So does putting personal sensitive information on something that is very portable, highly attractive to thieves and with little or no protection (and no, “advanced password protection” does not secure the data) qualify someone to be a custodian of that information? I think not.
We should also consider why was that amount of sensitive information available to download onto the laptop in the first place? Why was it not stored on a secure server in a secure server room where there would be proper security controls, both logical and physical?
I have no doubt that despite the publicity surrounding this story and the loss of the laptop earlier this week by the HSE we will have a similar incident in the not too distant future. Until tougher legislation is introduced that penalises companies for not protecting the data it is entrusted with this story will repeat itself again and again.
I was asked by RTE Radio 1’s Morning Ireland program to explain what encryption is and to give my thoughts on the issue. You can hear the podcast of the segment on their website.