Laptops get lost or stolen. It’s a fact of life, as sure as you never get a pair of socks out of the washing machine.
So for all the procedures in place about securing laptops to desks when in the office; not leaving them in cars or in the back of cabs while out of the office; or even about the levels of sensitivity of information that should be stored on laptops in the first place; none of these can ultimately prevent laptops getting lost or stolen.
The only answer now, indeed the only answer has always been, that any laptops containing sensitive information should be securely encrypted.
Finally, even the government and its various departments are starting to accept this. But this realization has come at a very heavy price: you only have to look at how HMRC lost two discs with 25 million people’s records on them, or the even more recent loss by the Ministry of Defence…
Two weeks ago the MoD lost a laptop, stolen from a recruitment officer’s car overnight in Edgbaston on January 9. The system contained passport, National Insurance and driver’s licence numbers, as well as family details and NHS numbers for 153,000 people, and banking details of around 3,700 who actually applied to join up.
Not long before that, the MoD confirmed two earlier laptop losses: one a Royal Navy system stolen in October 2006, and one a laptop stolen from an Army recruiting office in Edinburgh in 2005.
The most depressing thing about all of this is that the kind of encryption technology that could have prevented a security breach from these kinds of losses is not even particularly expensive.
Anyway cabinet secretary Sir Gus O’Donnell has now announced a civil service-wide ban on removing unencrypted data from Whitehall offices, in an email to permanent secretaries in charge of all government departments. “From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises,” he said in the email. “Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance.”
Still, better late than never?