The heavy ICO fine against Royal & Sun Alliance Insurance PLC has highlighted a shortcoming with encryption.
Fines by the UK’s Information Commissioner’s Office (ICO) for security breaches have been a matter of discussion for some time. For most, they seem fairly small; and if we think about the actual monetary value when compared to a large company’s earnings, they are.
The ICO is an independent authority set up to uphold information rights in the public interest. They have issued some fairly substantial fines that have included – but are not limited to – record fines of £400,000 for a telecoms company; £100,000 for a county council and £180,000 for an NHS trust in London – and that’s just 2016. As more and more companies are found to be negligent in their protection of our private data, these fines will have to rise to reflect the growing concern by the public on why they are not doing more.
The fine itself may seem fairly insignificant; but that, of course, is not the whole story. The negative PR exposure and the damage done through the act in the first place both have a cost.
“You should be able to take reasonable precautions to ensure you have done all you can to protect the data of your users.”
These days, the topic of security is on everyone’s lips and is something that every company needs to take seriously. Whilst it’s not possible to protect against every possible attack vector, you should be able to take reasonable precautions to ensure you have done all you can to protect the data of your users.
One of the simplest and often easiest methods of protecting data from being seen by unauthorised persons is encryption. However, as with many common “IT” procedures, it needs to be seamless and easy to use for the average user to utilise it effectively.
Even companies that have purchased encryption have ended up being on the wrong end of the ICO’s long arm because they failed to implement it correctly or even at all, as demonstrated by the recent case concerning Royal & Sun Alliance Insurance PLC.
Therefore choosing the right encryption depends on many things, including ease of use, validation and being flexible and easy to deploy.
Encryption is not new; it has a relatively low cost and can be rolled out and maintained with ease. It would not have stopped the theft of the hard drive in this case but it would have stopped the data being accessible.
“Encryption is not new; it has a relative low cost and can be … maintained with ease.”
Fines need to be in place but more importantly there needs to be a follow-up procedure of some kind: if you are holding other people’s data you need to do all you can to keep it safe.
Data loss or theft is something we have to deal with. With so many breaches taking place through lapsed security or outdated applications, companies need to do more to keep it safe. Stopping them is nearly impossible but making it harder is not as difficult as it sounds.