Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

Re: Meet our CSO, Mr. Hindsight

Isn't hard drive encryption literally one of the features of many of the products Lenovo sell?

Good to know they're dogfooding it. Next we'll find out that it was in fact a Dell laptop

Re: Meet our CSO, Mr. Hindsight

One of my relatives runs his own company and has a significant amount of very sensitive information on his many private clients, but trying to get him to take security seriously is virtually impossible. He is one of those guys who always knows better and more about everything than anyone else. He accuses me of being paranoid when I try to talk to him about his naive attitude towards security. He did admit that a few months ago his co-director fell for one of those "Hello this is Microsoft calling" phone calls and even installed malware on their network as a result before someone finally twigged it was a scammer and hastily tried to close stable doors; how much / if any data was lost he didn't say. His company is probably too small to end up being featured on El Reg in the event of a major data loss, but he is a GDPR data breach waiting to happen.

Re: GDPR?

But if the laptop had been in Europe or Australia, and encrypted the police would have a copy of the key - and so the data would be available in every east end boozer for "a drink"

Re: GDPR?

Hmm.. Singapore doesn't seem to be on the GDPR/Third countries with adequacy decision but they seem to have some kind of data protection under the Personal Data Protection Act 2012 (PDPA).

However:

"The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

"Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.,,"

Penalties seem to be a bit weak (1 GBP = 1.72 Singapore Dollars) , I'm personally not convinced about the prison term below:

"...A fine up to SGD10,000. In the case of a continuing offence, the guilty person is liable to a further fine not exceeding SGD1,000 for every day or part of the day during which the offence continues after conviction.

Imprisonment for a term not exceeding three years."

That's pretty broad set of exclusions IMHO + anyone's guess whether their equivalent to the ICO will act to enforce...

Re: If Lenovo give away my bank details

Then surely they're liable for any financial loss I incur?

That will depend on where you reside, and the laws that apply to you and your data.

In the UK, Morrisons are still protesting their innocence after a staffer deliberately released similar data some years ago. They've lost a case at the Court of Appeal, but they think it worth appealing to the Supreme Court, and until that's done and dusted there's a bit of doubt about how much liability attaches to the unintentional but avoidable loss of UK employee data.

Re: Lenovo takes the security of employee information very seriously

I'm fairly sure Lenovo have said that only once. Very recently.

Unless you've got it on repeat.

@DuchessofDukeStreet

I suggest that two months is about how long someone can spin out 'I left my laptop at home' until someone finally loses patience and finds out the truth.