The SiliconRepublic published a story highlighting how questioning from Ruairi Quinn, spokesperson on Education and Science for the Labour party, exposed how over 100 laptop and desktop computers, 14 Blackberry phones and 11 portable media devices were lost over the past 5 years.
While there are no details available as to whether or not any sensitive data were stored on this devices it appears that many of the lost computers were not encrypted. These findings, together with recent revelations of data breaches in Irish government departments and the loss of two CDs in the UK containing records of 25 million people, highlight the need for government agencies to take the security of personal information belonging to citizens seriously.
In the above cases it may be the loss extends to just the value of the equipment. However, given the nature of how data is passed around within organisations, both private and public, I suspect some of those lost devices contain very sensitive information either relating to the department themselves, staff or the citizens who entrusted their personal data to the care of the state.
People often forget that portable devices contain sensitive information in many formats, either as documents, databases or spreadsheets containing data or within emails, or as attachments to emails that are stored on locally cached mail stores on the device. I hope that each department, whether affected by the above or not, will take heed of this story and take steps to ensure future leakages are prevented in the future.
I also suspect that the numbers uncovered by Mr. Quinn are well on the conservative side and it would be interesting to see how much data has been lost by staff using unofficial mobile equipment such as their own USB keys, laptops, portable storage devices and mobile phones.
While we mostly have a choice with what private organisations, i.e. we do business with them or not, we share our information with we often do not have the same flexibility with government departments. That is why it is incumbent on government departments to ensure they maintain the highest standards with regards to data protection.
The fact that this information only came to light following questions raised in the Dail by Mr. Quinn also highlights the need for more people to support our call for Data Breach Disclosure laws here in Ireland.
The next meeting of the ISSA on February 21st will be on Security Breach Reporting. If you feel strongly about this issue, on either side, it would be great to have you there to share your thoughts. If you cannot make then please feel free to contribute here via the comments feature.