Laptop Theft and Data Loss By Irish Health Service Executive
I wrote about this topic on 24 August 2008 in relation to the loss of data about people who became involved with state agencies. I suppose it is hardly surprising that the same issue has happened again. In this most recent case, the Irish Health Service Executive (HSE) lost about 15 laptop computers, which were stolen from their offices in Roscommon Town. RTE, Ireland’s national news broadcaster, reports that, while information on 13 of the laptops has been encrypted, what is described as confidential information on one of the other two machines is accessible to anybody in possession of the laptops. The HSE is reported to have said that it ‘is satisfied that there was no identifying information in relation to patients or clients on one of the non-encrypted laptops.’
The truth is, of course, that the HSE cannot make this statement with any confidence, unless they subject their laptops, removable devices, and other storage media to continuous audit and stringent data management policies and controls, which, I suggest, is highly unlikely. In my opinion, there is as much probability of confidential information being stored on any of those laptops as not. The HSE probably has no way of knowing one way or the other; if it does, it should be required to produce the evidence in public immediately.
The ubiquity, portability and ease of use of laptop computers and other removable storage devices make the occurrence of theft and data loss almost inevitable. Indeed, I am sure that I could probably be found wanting myself in this regard, despite the fact that I advise, consult and speak on the topic of information and data security from time to time. As it happens – and this is merely because of the nature of my work – I do not need to store personal private information on my machine. However, I suspect that, on any of my computers or storage devices, there probably lies an old email, an old file, or a stored chat session that related to some private information. Simply put, it is dangerous in the extreme to believe that private information might not be stored on any electronic device. Therefore, the utmost precautions should be taken in all cases and at all times.
It is really time that all people who are in control of personal private information, whether in the public or private sectors, took this issue seriously and started taking immediate, practical and effective steps to secure the data they store and control. It might well be worth reading my previous article again, where I provided advice and guidance on how to improve data security.
What are you doing about information and data security in your organisation? Do you think data processors and data controllers are taking enough care of personal private data?
Leave a comment and let me know.
