
One a Week?
Do you think they could 'lose' one my way?
A year and a day after losing child benefit records for every family in the UK and promising to reform data handling the British government is still losing a laptop every single week. Figures collated from Parliamentary answers reveal the government has lost 53 laptops since 20 November 2007 when Alistair Darling told the …
If the number is accurate, it sounds surprisingly (and creditably) low to me.
It would be interesting to know how many laptops are in the hands of gov departments (and their contractors) - I'm sure it must be thousands. Anyone who is responsible for more than a hundred laptops knows that 'shrinkage' is inevitable - whether though stupidity, negligence or targeted theft. If you need to use portable devices, occasional losses are the cost of doing business, you can (and should) minimise the risk, but you can't eliminate it completely.
The best solution is to ensure that no data is held locally (<cough>Citrix</cough>) or, failing that, strong encryption (preferably not involving a password stuck underneath the device). The 'unloseable' portable device has never existed and will never exist.
I'm surprised the numbers are so low. If there is a story it might be under reporting because of the hysterical reaction to lost government computers. Golly I lost a company laptop (carefully hidden) during a normal household robbery. I guess quite a few here have had a mobile stolen. Given the large numbers of civil servants who have to use mobile IT - how many would you expect to lose by muggings etc - ie where the civil servant was not culpable?
I suppose that figure is the reminder that data will always be lost, however you try and protect it. Standard rules, don't have more than you really need, distribute it , make sure you don't have 'single points of entry' and pretty much anything this government has rejected. A walkabout laptop/mobile/stick should have no more impact than the cost of the device itself.
This is just the Tories fishing for bad news rather than taking on the real issues on government data grabs.
"Records for 25 million people, relating to child benefit payments for 7.25 million families, were sent using the HMRC's own postal system, called grid, but never arrived" - reward of £20,000 ... making the security of each family 'worth" slightly less than 0.3pence (or each individual a staggering 0.08pence).
Call me old fashioned, but I suspect that there is a better price available in Nigeria.
It can't really be a surprise that at least one a week goes 'off the radar' given the massive PC estate that the Government runs. Any large enterprise would probably suffer from similar problems.
You're never going to be able to stop staff leaving them in taxi's, the general public stealing them, assets being moved without permission or laptops not being collected from staff who leave. What it does highlight though is that its ESSENTIAL to ensure ANY data storage is encrypted and that your asset management systems accurately lists all accesses available so that when the loss is discovered, you remove access permissions.
This is one of those fairly meaningless stats without any reference.
So that's one a day out of how many owned by the Gov?
1 a day sounds bad but is it?
Recent studies have shown that at US airports approx 12000 laptops are lost each week., that's over 600000 a year.
UK and EU Airports also have a problem with approx 4000 being lost each week, Heathrow accounting for 900 per week on average.
"Despite a £20, 000 reward for the child benefit discs and a 47-officer strong police investigation they were never found."
Personally, I doubt they ever existed. Two discs gone missing between one department and another? Sounds like a classic case of the old 'No, of course I didn't forget to send them! What? Do you mean to say they never showed up?'
All it takes is for it to be reported to an unusually conscientious person with any idea of the actual magnitude of this kind of loss, and what was previously a fib to get you out of a tight spot is now a major news story and police investigation.
On the positive side, this (as I believe) fake data loss story did seem to prompt other government departments to start 'fessing up to their own losses, which as we've seen are substantial.
...perhaps the use of all portable media devices in any way, shape, or form should be forbidden from use in any public facility. Any public person caught doing so should be regarded as a terrorist or enemy spy and treated accordingly. Note that this not only encompasses USB sticks, discs/disks, and laptops, but also paper--after all, spies cannot photograph or copy what is not written down.
>Despite a £20, 000 reward for the child benefit discs and a 47-officer strong police investigation they were never found
I seem to remember they went via a certain delivery company, who are probably the ones who lost them. If that is the case, then the disks are in Belgium. I worked on the system that would have tracked the disks, and it has a default of "if not sure, deliver to main depot in Belgium".
But my main comment is simple - the government needs to implement a simple "if you lose or leak data on individuals, you go to jail" policy. On the other hand, non-personal data related to government, that should be public - they're our government, we should be entitled to know what they're up to.
How many other things have gone missing without being reported.
How many departments allow users to use any USB media without encryption? Would such a user report the fact that they'd copied some data to their personal USB stick and lost it, or would they keep quiet and go out and buy another USB stick?
How many users have manage to get sensitive data onto their home PCs? How easy is it, on the government's networks, to export some data to a flat file and then copy that data to removable media or email it out? How many users manage to lose track of data like that?
But if things like that do go on I doubt that ministers even want to know about it. So long as they don't know about it they don't have to report it.
"We don't need a review of policies . We need hefty fines and prison sentences for INDIVIDUALS RESPONSIBLE for the loss of equipment containing unsecured personal data. Simple."
Ah, but which individual is responsible, pray tell? The lowly flunky who had the misfortune to have a laptop stolen while refreshing himself after an arduous workday? Or his manager, who clearly didn't *manage* him? Or the operating policy wonks who fill notebooks inches thick with detailed, explicit policies, but never trouble themselves to tell the troops about them? Or, God forbid, the minister responsible for the department at fault? (BTW, what ever happened to the concept of ministerial responsibility? Did Wakkyjakky have her way with it? <shudder>)
Ash's emphatic demand that _somebody_ be held accountable is understandable given the repeated demonstrations of public sector IT muppetry, but I fear his proposal would become an excuse to make the proverbial lowly flunky a scapegoat for more profound failings much higher up in the hierarchy.
And thus serve as a mechanism for those truly responsible to escape all blame. Since it seems to be a guiding principle of NuLabour that all blame must be avoided, you can see how the proposed policy would play into the hands of Those We Love to Hate.
The loss of sensitive and especially classified government data IS a crime, as it is a failure of adhering to government protocols and potentially even a threat to national security.
Anyway, if you want to protect sensitive data, you must treat it like a scant resource--only to be handled as absolutely needed and under full audit. How's this for a working theory. First, ensure only one active copy of any file exists--disable copying, moving, deleting, and the "Save As" function system-wide (this will handily take care of removable media as well). Backups are permitted only on an encrypted system-wide basis. If a copy *must* be made, then it must be cleared by security--such security people only possess permission to alter permissions, not files themselves outside their own internal scope. All files should possess full version tracking so each and every edit can be tracked. Laptops in such a system should be registered, possess GPS trackers and should really be no more than thintops--encrypted remote login devices with no local storage to speak of. If data *must* be taken to a location where the Internet is not reliable, then the laptop should only contain as much data as needed and require two-factor authentication just to turn it on--and it must be brought by two people (as remotely separate as feasible), each possessing only one of the factors. Basically, treat it like a priceless treasure because it just may well be.
Easy. They're *ALL* to blame. The flunky who forgot to lock down his laptop before having a pint, the manager for assigning an untrustworthy person to the task, the OP wonks for populating the laptop with more than was necessary, for not forcing encryption, and probably for not using a "thintop" access policy, and the minister for not setting up a DTA data protection policy nor enforcing what's already there. *Someone* must be held accountable, but that doesn't necessarily mean the blame must be limited to *one and only one* someone.