The title is not a typo.  On April 6, 2010, the Information Commissioner's Office (ICO) in the UK can fine organizations up to £500,000 for data breaches and other forms of non-compliance of the Data Protection Act (DPA).

• Fines From £5000 to £500,000
• ICO Looking To Make An Example?
• Monetary Penalty Guidance
• Fines Necessary

One of the ways these fines can be minimized, perhaps even eliminated, is by having adequate information security measures in place, such as laptop encryption software for any portable computers an organization is using (there are other things to do as well, obviously, besides using encryption software, though).

Maximum Fines Jump From £5000 to £500,000

If you've been following the news, the ICO got the go-ahead to assess fines last year, and this new power becomes effective starting April 6.  I've read that the ICO had the power to assess fines of £5000 to date, although far most companies were let off with the signing of an Undertaking.

What's an Undertaking?  That's where the CEOs promise to improve their security measures after they had an information security breach.  In many cases, the use of encryption software on any portable devices such as laptop computers and external hard disk drives is included as part of such improvements.

Here's an example of the promises as per the Undertaking (my emphases) in one particular case involving the Alzheimer's Society, although this copy can be found pretty much on every Undertaking:

1. Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
   
2. Physical security measures are adequate to prevent unauthorised access to personal data;
   
3. Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
   
4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful

Like I mentioned before, data protection involves more than the use of data encryption software.

For example, if an organization does not use computers but has an extensive collection of sensitive personal information in files, they must make sure there's adequate security in the form of locking files cabinets and the like.  Yep, the ICO also looks into the security of information on printed materials.  After all, data is data.

Will The First Breaches Will Set The Agenda?

The opinion out there is that the ICO will come down hard on the first set of breaches that come its way after April 6.

The reason? For setting a standard for future breaches and penalties.  Of course, the ICO denies this, noting that the "ICO would not make an example of an organisation for the sake of making an example, it would be done on a case-by-case basis," according to a spokesperson.

In other words, the fines would be assessed depending on the situation: the nature of the breach, whether it was possible to prevent it, whether the protections in place--if any--were adequate, etc.  This is probably why there are reports that the ICO will be able to issue about 25 fines a year.

ICO Has Guidelines For Assessing Fines

Sections 3 and 4 of the "Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998" provide guidance on the circumstances under which monetary fines would be handed out, including examples.

(Among the eye-raising things about the guideline?  Under section 7.4, organizations get an early payment discount of 20% if full payment of the fine is made within 28 calendar days of the penalty notice being served.  I understand what the purpose of the discount is, but I still find it surprising: it makes it look as if the government has set up shop.)

Here's an interesting excerpt from the guideline that bears analysis:

As a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the data protection principles. It is not possible to provide specific examples at this early stage until actual cases present themselves. However, when precedents are available from either the monetary penalty notices served by the Commissioner or the decisions of the Tribunals, further guidance will be produced so that a data controller can better assess its position [Section 2, p.4; my emphases]

Perhaps I'm reading too much into the above, but it seems to me that examples will be made of for the initial companies that have significant breaches.  After all, if the government hands out too low of a fine, won't future organizations complain if their fines are higher?

Fines Perhaps Controversial, Definitely Necessary

Absolute Software and the Ponemon Institute have released a survey showing that nearly 90% of UK organizations admit to losing a laptop.  Of these 61% resulted in a data breach.

Mind you, this is three years into the numerous data breaches that rocked the UK, such as the loss of two CDs with child benefits records that affected nearly one-third of the UK's population.

Even after all these stories in the media, we find that companies have not woken up to the need for better data security.  Or rather, if you philosophize about the nature of the fines to be handed out soon, perhaps it would be more accurate to say that organizations don't feel the need for better data security: serving the customer is one thing, plunking down relatively big money for their data security is something else.

Will the fine change the behavior of companies?  It won't at first; but then, stories about sizable fines will make the round sin the media, and that will probably prompt many companies to take a second look at the data security procedures they have in place (which, I should point out, will also require the ability for a company to prove they have information security controls in place.)

Related Articles and Sites:
http://www.infosecurity-magazine.com/view/8155/industry-prepares-for-new-ico-penalties-starting-next-month/
http://www.computing.co.uk/computing/analysis/2259581/watchdog-pounce
http://www.networkworld.com/news/2010/031510-humans-continue-to-be-weak.html?page=1

The UK's Information Commissioner's Office reports has reported a breach of personal details for 2,135 people by the Royal London Mutual Insurance Society, the largest mutual life and pensions company in the United Kingdom.  Nothing that disk encryption software like AlertBoot could have prevented, had it been used.

8 Laptops Stolen, 2 Contained Sensitive Information

Eight laptop computers were stolen from the insurance company's offices in Edinburgh.  Of those, two computers stored the information of clients' employees.  The computers did not make use of encryption software, but were password protected, which is pretty much useless.

An internal report to Royal London showed that the company failed in many aspects.  The company "was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate," per scmagazineuk.com.

Even more damning, though, is that "managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken."

Keeping Track of Information

In yesterday's post, I had noted that not storing sensitive information is always the best form of data protection, in the sense that not having sensitive data means there is nothing to protect.  I also noted that it doesn't work very well.

The above story illustrates why.  The crux of the matter lies in knowing if there's any sensitive data and, if so, where.  In other words, someone or something must keep track of the information.  This is easier said than done.

Now, it could be that company policy prohibits sensitive information from being stored on laptop computers at all.  My guess is that Royal London, being the one of the largest pensions companies in the UK, had such a policy in place--most big companies that deal with sensitive data have one, especially when they don't have adequate security, like encryption for laptops in place.  Did it work?

No.  It almost never does--I'd like to put the figure of companies that can make it work at 1%.  The problem is that most companies think they're that 1%, which clearly can't be.

Related Articles and Sites:
http://www.scmagazineuk.com/royal-london-mutual-insurance-society-loses-eight-laptops-and-the-personal-details-of-2135-people/article/166024/
http://www.insurancedaily.co.uk/2010/03/18/royal-london-faces-up-to-data-protection-breach/
http://en.wikipedia.org/wiki/Royal_London

Insidevandy.com is reporting that the theft of a professor's desktop computer has resulted in the data theft of information for 7,174 current and former students.  There is no mention on whether data security products, such as drive encryption software like AlertBoot was used.

1,347 Current Students Affected

Of the 7,174 students, 174 are current grad students and 1,173 are current undergraduates.  The stolen data included names and Social Security numbers, which were part of the professor's grade book information (not all students' SSNs were included, it looks like: the story notes that the SSNs were "for some students").

The theft occurred on February 6, but the letters alerting of the breach were sent out on March 10 and 11.  Seeing how the university was able to accurately able to detail how many students were affected, I guess they took the time to do some forensic investigation, most probably on backup data.

The computer was stolen from a locked office.  The provost has asked "all academic deans...to purge information like this from their files and to not collect it in the future" in a memo.

Disk Encryption or Purging?

I'd say there's a good chance that the information on the stolen computer was not protected--otherwise, it would have been mentioned.  Going forward, though, would it be a good idea?

It depends.  If everyone purges sensitive information from their computers, the obvious answer is, "data protection is not necessary," mostly because there is no data to protect.  The question is, though, how many people will:

• Actually read the letter?
• Take the time to delete sensitive data?
• Not miss a particular file or files that contain sensitive information?

The provost's memo would have had more bite to it if he had also provided software that scans through a computer's contents and pinpoints any instances where sensitive information--such as credit cards or SSNs.  I mean, this is what a number of malware programs do to steal data, and plenty of similar commercial (i.e., for legal purposes) software exists for finding such information in order to delete it.

Also, not storing sensitive data is always better form of data security than, say, the use of encryption software.  For example, full disk encryption can only protect data when computers get stolen; it's 0% effective against other threats, such as Trojans.  But, again, it all revolves around whether the data does get deleted.

In my experience, people lose track of what's saved where and which files contain what.  While deleting and not storing sensitive data is the best form of data security one could have, when theory diverges from reality, a different approach must be tried.

And theory tends to diverge from reality a lot.

Related Articles and Sites:
http://www.insidevandy.com/drupal/node/13438
http://www.vanderbilt.edu/info/identity-protection/

• Product designed to retrieve forgotten passwords: 100,000 guesses/second
• Is encryption safe?

One of the best ways of keeping your data safe in case a laptop computer gets stolen is via the use of disk encryption software like AlertBoot.  However, there are ways of getting around it, the easiest being cracking the password.

Cracking Passwords - Brute Force

The easiest way of obtaining a password, but also, perhaps, the most illegal way, is to physically threaten someone.  Another easy way is to happen upon said password (think: Post-It note).  These are not what we refer to when talking about "cracking passwords."

Cracking passwords requires the element of guessing what the actual password might be: trying past passwords a person has used; trying personal information, such as birthdates and names; or just plain guessing.  This process is fraught with long times at the keyboard.

Unless you can get a computer to do it for you, which would try all possible passwords.  Trying all combinations systematically (usually alphabetically), from A to Z, is often called cracking by brute force.

Well, cracking those passwords has gotten easier, if not a bit more expensive.  ElcomSoft has come up with their latest "password retrieval" device that can try 103,000 passwords per second.  It looks like this rate is actually for cracking WPA (basically, wireless router) passwords, but imagine for a second that this could be applied to everything.

Do Encryption Solutions Work Anymore?  Hacking Passwords

There are two ways of accessing encrypted data: know the encryption key or know the password.  Of the two, the key is almost always the longer, complex one; thus, it makes sense to hack passwords which are shorter and--theoretically--easier and faster to guess.

How easy?  Well, let's take into consideration an eight-character long password which uses both letters and numbers (although not necessarily both: 12345678 would be a valid, but poor, password under the conditions).  This means each placeholder on that 8-character long password has 36 possible alternatives (26, A through Z; 10, zero through nine).  Or, 36⁸ attempts which equals 2.8 trillion combinations.

At a rate of 103,000 passwords per second, it would take 10.5 months to go through all possible 2.8 trillion combinations.  Normally, experts assume the password will be guessed before 50% of the guesses are tried, so one could expect a breakthrough in 5 months, on average (on average meaning "for the same attempts across many machines."  Results from machine to individual machine will vary, obviously).

It should be noted that the above is for a case where one knows the password is an eight-character password: if one doesn't know how long the password is, a person would have to start with one-, then two-, then three-character passwords, and so on.  Under such circumstances, it would take...about 10.8 months to go through all possible tries.

Interestingly enough, a 9-character long password, just by itself, under the same conditions, would take 31 years to go through all tries (36⁹).  A 10-character long password would take 1,125 years (36¹⁰).  How come?  Exponential growth.

The above explains why IT personnel ask that passwords be reset every 3 months or so if an 8-character password is used.  It follows that, for shorter passwords, the reset has to be even more frequent.

Encryption is Still Safe - Rate Limiting

It would depend on what one's talking about, but when it comes to laptop encryption, there are ways to counter password cracking attempts.  The first would be to use a sufficiently long-enough password, one that's at least 9 characters long.

But even if one were using a 6-character long password (36⁶, crackable in 6 hours), the use of rate limiting (in the case of AlertBoot endpoint security, exponential rate limiters) would foil such brute-forcing attempts.

What is rate limiting?  The introduction of a time-out period between password tries: even if a device can attempt 103,000 passwords per second, all that raw power is useless if the laptop only allows you to try one password per second: the 2.8 trillion tries would require 2.8 trillion seconds (89,000 years).

An exponential rate limiting is where the time-out period grows exponentially, from one second to two seconds, from two seconds to four seconds, from 4 to 8, and so on.  By the tenth try or so, the cracking attempts crawl down to minutes.

For the time being, encryption software still provides the data security many people and business require.

Related Articles and Sites:
http://www.net-security.org/secworld.php?id=9021

The Boston Globe is carrying a short article on how a number of companies in Massachusetts have suffered data breaches of customers' personal information, all of them in recent months.  In most cases, the use of data encryption would have been helpful (and in one case, actually, encryption was used to safeguard data).  What is most notable, though, is the comment section.

Hancock, Lincoln National, Beer & Wine Hobby, Nuance, Beecher Carlson, and PF Chang's

Six companies were mentioned:

• John Hancock, the insurance company, misplaced a CD with customer information, including names and SSNs.  The information was encrypted, but the Hancock offered credit monitoring to customers anyway
• Lincoln National Corp., another insurance company, leaked access credentials, meaning anyone with it could hack into their computer system
• Beer & Wine Hobby announced a breach of their computer system which exposed personal information for 35,000 customers.
• Nuance Communications reported a laptop computer was stolen during a car break-in, affecting over 1,000 MA residents (SSNs were included)
• Beecher Carlson Holdings, an insurance broker, announced the theft of two laptops while employees were at an off-site meeting.  SSNs of employees were included in the laptops
• PF Chang's, the restaurant chain, reported the theft of electronic equipment that contained personal information

Some of these have been covered by this blog already.

Comments Section

What's most revealing, though, is the comments section (as is usually the case).

Someone going by the ID of aperture noted that "ALL entities that are entrusted with vital information [should be mandated] to install VIABLE electronic safeguards."

Perhaps this person missed the part where the article noted that since March 1 "companies need to encrypt personal data stored on laptops or sent over the Internet."  Need, mind you, not can choose.  In fact, this law is one of the most stringent regulations in the US when it comes to personal information security.

Another, a6, noted that "it is time to hold CEO's criminally responsible and to fine companies big $ for sharing the information."  Newsflash: many people don't listen to the CEO if they think they can get away with it.  And, fining companies is the point of the new regulation that kicked in this month.  I'll have to cut this guy some slack, tough, since this detail is not mentioned in The Boston Globe article.

Besides, putting all the onus on the CEO is going to backfire when an emp has a beef with the guys above.  For example, take those states where the car that rear-ends the car in front of them is automatically liable for the accident: there are more than enough cases where enraged drivers will maneuver and force a rear-end collision to spite someone.  Call it an unintended consequence: the law that was supposed to decrease traffic accidents actually encourages one in particular instances.

Imagine what could happen if the CEO is "responsible for all."  Some might say that's not a bad thing; I feel bad for such people.  If possible, quit your job and go to greener pastures my friend.

Commenter Aljg noted that "As a database developer, I'm shocked that these companies let SS #s and/or CC # information on laptops. There is ZERO reason to have this information on laptops since laptops never/should never run production applications imo."

While entirely true, what Aljg forgets is that not everyone is a database developer; the presence of Social Security numbers and credit card information could be for the more pragmatic reasons.  For example, the laptop is what a company uses for billing customers.  Or, perhaps the laptop belongs to the guy in HR, and he has a file for HR-related tasks that require SSNs to be present.

(I should point out that none of the companies mentioned above seemed to be in a position where they were developing databases.  Perhaps Nuance, but from the story it sounds like only employees were affected, which would point to the HR scenario.)

Voodoo55 noted that "Anyone who thinks even the best security can't be penetrated is mistaken."  I've got to concur.  At the end of the day, though, I'm not going to recommend that people don't update their anti-virus software; that they don't use disk encryption software like AlertBoot; that they don't use laptop cable locks; etc.

I mean, seatbelts and airbags don't prevent people from getting hurt 100% of the time, but you'd have to be crazy to recommend against their use because they're don't always work.

Related Articles and Sites:
http://www.boston.com/yourtown/burlington/articles/2010/03/13/new_reports_of_data_breaches_leave_thousands_in_mass_at_risk/

The Veteran Affairs (VA) Department has announced a breach of patient data, which is reminiscent of a breach back in 2006.  However, based on the response the VA took, I'd say that they've definitely gotten better at handing data security.  And, it's not because they've gone ahead and used data encryption like AlertBoot on their laptops.

Physician Assistant Stores Data On Personal Laptop

The entire situation was blown wide open when a nurse scientist alerted the compliance officer that a physician assistant would not destroy illegitimately-obtained VA patient information from her personal laptop.  The physician assistant resigned on February 26 due to subsequent events.

Apparently, the physician assistant had two sets of patient data: one set with three years of information and the other with more than 18 years' worth of data.  Despite what seems to be an inordinate amount of information, the VA's CIO has noted that:

"The employee in question was never able to connect her unencrypted laptop to the VA network. Port-blocking technologies are enforced in Atlanta, and she was denied access. Thus, no ‘downloading' of information ever occurred. Any information existent on the personal laptop was hand-entered, and as you point out this violates all kinds of policies and training at the VA."

Of course, that doesn't make sense: I mean, 18 years' worth data is "hand entered?"  That physician assistant is going to need some medical assistance herself, on her wrist, especially when you consider she started working at the VA on October 2009.

There are reports, however, that the VA inspector general is investigating the possible use by the physician assistant of USB flash drives to transfer the data to her laptop.

Why did the physician assistant have all this data?  They were for an unapproved research project, according to the inspector general's office.

Layers Of Security Includes Employee Education

While there was a data breach in the technical sense, we can see from the above that the VA department has made great strides in their data security.  To begin with, I know that disk encryption is used on all VA-issued laptops, the deployment of encryption software having been completed last year (if memory serves, regarding the completion of the project).

But, as the above story shows, it's not just the use of encryption that guarantees the security of patient information.  While there is the need for many tools--notice the presence of port-blocking for non-VA laptops mentioned the VA's CIO--ultimately, it's people that will make a difference on whether data will remain secure or not.

This is especially true when it comes to people who are supposed to have access to the data but decide to repurpose that information for other uses.  Not that I'm saying there should be a culture of employees spying on each other.  However, when people become aware of unauthorized uses, procedures, etc, people need to know that they should come forward and rectify the situation, like the nurse scientist did in the above case.

Related Articles and Sites:
http://www.nextgov.com/nextgov/ng_20100309_9888.php?oref=topstory
http://www.federaltimes.com/article/20100311/IT01/3110306/1018/DEPARTMENTS
http://www.ajc.com/news/dekalb/security-breach-at-atlanta-365828.html