Companies that fail to encrypt personal information on removable media and mobile devices run the risk of a public shaming -- and possibly fines -- from the Information Commissioner.
In a judgment issued on August 12 against the transport company UPS Inc., the Information Commissioner's Office (ICO) spelled out for the first time the need for mobile device encryption, and suggests that all companies should heed the advice.
The office says that UPS must ensure that "appropriate data security programmes and procedures regarding removable media, including the use of encryption where appropriate, are put in place within six months."
The case related to a laptop computer belonging to a UPS employee that was stolen while he was overseas on business last October. The machine, which was password protected but not encrypted, contained the payroll data of 9,150 U.K.-based UPS employees. It included their names, addresses, dates of birth and National Insurance numbers, as well as their salary and bank details.
In a written statement the assistant Information Commissioner Mick Gorrill said: "Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit."
As part of the judgment, UPS issued a signed undertaking promising to follow the recommendations of the ICO and to take better care of personal data in the future. The ICO's powers are currently limited to issuing enforcement orders against companies. The Criminal Justice and Immigration Act, approved by Parliament in early 2008, gave the ICO the power to impose fines. The fines cannot occur, however, until the Ministry of Justice issues a tariff of penalties, which it was expected to do by the end of 2008, but has so far failed to deliver.
Rosemary Jay, who heads the technology practice at law firm Pinsent Masons, said the judgment is unusually prescriptive. "The Commissioner usually talks in terms of the ISO model and managing risks, but here he has gone quite specific on the advice he is giving. He is saying you should encrypt mobile devices wherever significant personal information is held."
She also questioned the practicality of keeping personal data to a minimum on mobile devices. "Emails on a Blackberry, for instance, will be synchronised with office systems, and they might have personal information in attachments," she said. "It is also so easy to move data around in organisations. The main database may be protected, but there will be copies or extracts made for quite legitimate purposes."
Even when companies choose to adopt mobile device encryption, they still need to do the groundwork beforehand. According to Julian Baycock, general manager of Data Encryption Systems Ltd., many encryption projects take a long time to get going because they expose a lack of proper policies and processes. "They need to think about policies, how they are going to manage the keys, and who will have access to them," he said. "It can open up a huge can of worms, and it requires some new thought processes. It also sets restrictions on the way people work."
Baycock said ICO judgments can be useful in reminding companies about the need for encryption, but that budgets are still tight. "Many companies are still just dipping their toe in the water with encryption," he said.
Alan Calder, director of IT Governance Ltd., a consultancy, said that until the ICO gets its powers to impose fines, it is "powerless." He also cast doubt on any changes happening this side of a general election.
"The ICO is supposed to be getting all these new powers. But this has been happening for the last 18 months. The current talk is that something may happen by spring, or maybe not. I wouldn't be surprised if we're still in the same position in a year's time, saying how good it would be for the ICO to impose big fines. I think being the Information Commissioner must be a terrible job."