UK Fines Group For Lost Laptop As US Gov't Keeps Losing Laptops Itself

from the nice-work dept

Thu, Feb 15th 2007 3:41am — Mike Masnick

Just as we find out that the latest case of a lost government computer containing even more sensitive data, it appears that the UK government is taking more of a hard line on similar data losses. In the US, the law right now requires disclosure -- and that's about it. It's become pretty standard for US companies to also offer credit monitoring -- but it's not particularly costly to lose sensitive data these days. Over in the UK, however, the Nationwide Building Society has been fined nearly $2 million for losing a laptop that included details on 11 million customers. Now can we get the US government to fine itself for all the sensitive data they keep losing on laptops?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

rahrens (profile), 15 Feb 2007 @ 4:31am

lack of encryption
It's not actually losing the laptops, it's the fact that when they do, the laptop hasn't been encrypted.

I've worked for the gov't for thirty years, and no matter how hard you try, once an Agency gets over a couple of thousand people, keeping track of all of their equipment gets to be a really hard job.

So, as with my own Agency, you don't try so hard to stop what you can't, you concentrate on protecting what you know you can't afford to lose. In other words, you not only encrypt the hard drive of all laptops, but you set up your systems so that accessing the information is done through secure, encrypted VPN connections to protected servers where the information is kept safely behind firewalls. That way, when (not if, but WHEN) a laptop is lost, there isn't any information there to be compromised. So really, the only info you are protecting on the laptop is your network information.

You'll never be able to stop the loss of portable hardware. You concentrate on protecting your information instead.

We've been doing this for over five years, now.
[ link to this | view in thread ]
Charlie, 15 Feb 2007 @ 6:19am

Rahrens stated it well. I work for a small company were we use real production snapshots of our database for development, and hence we have sensitive data. We use multiple levels of encryption to protect this data. If we were larger we would probably want to generate fake data for most development (throwing out the encryption would speed our development systems), but we would still need to use real snapshots for the final QA.

As for the UK Fine, 2 million is nothing compared to the cost of credit monitoring for 11 million customers, even if there are significant discounts over retail prices for the service.

Granted credit monitoring isn't a requirement, but I think a simple fine might make the company wring their hands and say they paid the fine and they're done instead of providing the customer with at least some remediation.
[ link to this | view in thread ]
Sanguine Dream, 15 Feb 2007 @ 6:44am

I'm with Charlie on this one. If a fine becomes the punishment then most companies will just pay it and move on to the next data loss. As he points out credit monitoring for all those customers will probably cost more than the fine itself, making the fine a slap on the wrist.

And remember that free credit monitoring from the company that lost your data does not gaurantee that the shop/store/site where your lost/stolen was used will copoerate with you on repaiment.
[ link to this | view in thread ]
TheDock22, 15 Feb 2007 @ 6:56am

Fine and Dandy
That's great for the private companies, but what about the government?

If they made such a law, who would pay for the credit monitoring? The American people, through taxes.
[ link to this | view in thread ]
Enrico Suarve, 15 Feb 2007 @ 8:13am

Re:
Shit you're right - I saw the new this morning and thought 'fekkin A - they're doing something about it at last'

But you're right this probably is the cheaper option

Problem is if you state "and you must do credit monitoring" in a sentence hearing, most copmpanies would just go with some bare minimum monitoring and say they had complied (I always wonder exactly how far companies go at the moment)

The other problem with the alternative higher penalties especially against institutions like banks is you could damage their performance, which in the end would probably hurt the very customers whom you are trying to protect

No idea what the solution is in all honesty
[ link to this | view in thread ]
Gary, 15 Feb 2007 @ 9:38am

What kinda laptop's are they losging here?
Who collects the fine? What would it be used for? Give that 2 million dollar fine to 11 million customers... that is 20 cents each. Wow... seems pathetic. I think the fine should be high enough to make the company want to actively protect data as opposed to just waiting until something bad happens and paying the one time fine.
[ link to this | view in thread ]
Whocares, 15 Feb 2007 @ 10:04am

How the heck are they losing laptops?
I can understand forgetting your jacket in a restaurant, but how do people keep losing laptops? Maybe it's just me, but if I'm responsible for taking care of a piece of hardware that costs a few thousand dollars and has sensitive data on it, I'd keep my eyes on it. Maybe if they fired anyone whose laptop went missing, people might be a little more responsible. And maybe if companies issued some cool-looking watches to their employees that made a buzzing sound if they got more than twenty feet from the laptop, they'd have even less of a problem. I know you'd say "people would want to wear their own watch," but if you knew you were going to get fired for losing the hardware, I think that'd be a pretty good argumet to wear the issued one.
[ link to this | view in thread ]
Enrico Suarve, 15 Feb 2007 @ 10:38am

Re: How the heck are they losing laptops?
Its in the article - it was stolen from his house

Thats how a majority of laptops go 'missing' regular burglaries where the theif opens up your trunk/house/office and comes across a laptop...

so no, flashy watches aren't going to help - only proper security of the data in the first place will
[ link to this | view in thread ]
Michael, 15 Feb 2007 @ 11:48am

Re: lack of encryption
Rahrens, I agree with you so much about protection. Its unacceptable to have any computer with information that is vital to a company, its clients, or National Security. There is no reason that this type of information should go unencrypted these days especially by government agencies.
[ link to this | view in thread ]
Steven, 15 Feb 2007 @ 4:59pm

I agree with encrypting the files, but there should be some reprecussions for losing data. As stated depending on the size of the company some of these fines won't hurt them. Why is it when CEO's lose money for a company that even when they get fired they get a fat check. People's heads need to roll. If a person quit or was fired and then the person who was in charge of getting the equipment back should be fired, what the hell are we paying them for if they can't even do their jobs. If a department continues to lose data then the manager should be fired, and up and up you go. This tactic would hopefully work for government positions because fining them would only take away from the same people the loss was hurting. We need to start individualizing the faults as much as possible. Big Corporation should be fined at the very least a few thousand for each persons data they lost if it is because of the CEO there should be a clause in their contract that says that problems like these would be deducted from their salary, why the hell pay them 10 million a year when a single fine caused by their actions would cost the company millions over probbably several years.
[ link to this | view in thread ]
Steven, 15 Feb 2007 @ 5:00pm

I agree with encrypting the files, but there should be some reprecussions for losing data. As stated depending on the size of the company some of these fines won't hurt them. Why is it when CEO's lose money for a company that even when they get fired they get a fat check. People's heads need to roll. If a person quit or was fired and then the person who was in charge of getting the equipment back should be fired, what the hell are we paying them for if they can't even do their jobs. If a department continues to lose data then the manager should be fired, and up and up you go. This tactic would hopefully work for government positions because fining them would only take away from the same people the loss was hurting. We need to start individualizing the faults as much as possible. Big Corporation should be fined at the very least a few thousand for each persons data they lost if it is because of the CEO there should be a clause in their contract that says that problems like these would be deducted from their salary, why the hell pay them 10 million a year when a single fine caused by their actions would cost the company millions over probbably several years.
[ link to this | view in thread ]
topspy, 15 Feb 2007 @ 5:26pm

Being responsible for data/property
In a former life, I was in charge of securing VITAL confidential/proprietary clinical trials data and other sensitive documents for a medical/bio-tech startup company. The research probably cost several million US$$$ & more than a few years of time. Away from the office(s), I carried the data in a large briefcase that I NEVER let out of my site or beyond a few feet out of my reach unless I handed-it-off to another trusted employee.

Once, going out to dinner at a swanky restaurant with a group of coworkers & the new VP of Ops, the new VP suggested that I should just leave the briefcase in my car (he knew what was contained inside the briefcase). I said, "no thanks". At the time I was only a lowly Admin Asst, but there was no way that I would leave that valuable property on which the whole entire future of the company was based in an unattended car outside of my direct control and subject it to possible theft/loss.

Contrary to popular belief, the trunk of a car is NOT a secure/concealed storage environment....especially when you don't know whom might be watching you stash something there before your leaving the car.

I was brought-up by my parents to respect and take responsibility for myself, my job, and whatever is entrusted to me. Apparently, that VP wasn't. Along w/the new CEO, the pair of them promptly bankrupted the company.....after handsomely lining their own pockets, of course.

Nowadays, we are breeding a culture of carelessness/carefreeness and shirking responsibility is encouraged, or at least is not effectively penalized.

Organizations & employees, as well as gov't & society are simply too lax in their attitudes toward protecting property/data both inside & outside of the office environment.

Good Luck!!
[ link to this | view in thread ]
topspy, 15 Feb 2007 @ 5:53pm

oops...
EDIT: (1st paragraph)
I meant *sight* , not "site". ;>
[ link to this | view in thread ]