Probably not.

Well what if I told you some of these data leaks cost you money.

Now I’ve got your attention.

It seems our very own Government is the biggest culprit of data storage equipment loss but it’s the average Joe tax payer that foots the bill.

According to figures, released by Lewis PR following a Freedom of Information request, between June 2008 and the end of May this year 340 laptops have been lost or stolen from Ministry of Defence staff, costing us a whopping £620,000.

A further 593 CDs, DVDs and floppy disks, 215 USB memory sticks, 96 hard-disk drives and 13 mobile phones also went missing.

And if that wasn’t bad enough, some of the stolen items weren’t encrypted so could be accessed by criminals.

Of 1,257 hi-tech items that disappeared from the MoD, a staggering 983 were not encrypted.

Yet only nine staff were disciplined over the losses.

The statistics also detailed a further 10 Governmental departments that incurred major data losses.  In fact more than 500 laptops were lost or stolen from 11 UK Whitehall departments during this period. 

These combined losses cost the tax payer approximately £777,854.29 in the last two years.

Only 17 staff members were disciplined over these incidents.

These are worrying statistics indeed particularly as many of the lost items were Blackberries, USB sticks and mobile phones.

In these days of heightened global security how can this amount of data be unencrypted? 

How can staff continue to be so lax with our private information?

If they’re that careless about their current equipment containing sensitive data, do they have a strictly audited security disposal policy for data destruction of these portable storage devices at their normal end-of-life?  Or do they just leave them lying around?

How long will the taxpayer be expected to pay for these mistakes?

I don’t know about the average Joe but I would rather have the money in my pocket…wouldn’t you?

The beauty of these models is you can do everything on the go – check emails, send texts, make calls, surf the net and even arrange your schedule.  It’s like carrying a mini laptop in your pocket.

But the problem with having so much information stored on your phone is that you have so much information stored on your phone.

Take a minute and think about how much personally identifiable information is on your phone.  Portable devices carry personal data relating to recent calls made, photos, emails, route from home to work, stored texts which are all potentially comprising data.

Now imagine your phone is lost or stolen.

Scary thought isn’t it.  Especially if you use the phone for business.

But it’s not just theft and loss that are dangerous.  Even the simply upgrading your phone can be hazardous.  Has your phone been completely wiped of all data?  That’s the risk you take when you hand in your old phone over for a shiny new replacement.

It is important, especially for those who store both personal and work related information on their smartphones, to ensure the data is secure.  It’s not enough to shred the storage devices from servers, laptops and PC’s, these handheld devices also need to be physically destroyed if they are no longer used.

It is vital that all categories of personally identifiable information are securely disposed of.

A new report from consultancy PwC this week found that a company’s employees are its best defence against security threats, and should be empowered and educated about technology risk including mobile phones.

So let’s all start by taking much more ‘personal accountability’ by looking after portable business data as carefully as you would your own personal filing cabinet.  You wouldn’t leave your last itemised phone bill, bank details, personal address book or photos lying around would you?

And beware of the honey trap.  Just ask Gordon Brown’s aide about securing his BlackBerry.

Poised to attack, the ICO is ready to dish out hefty fines to those who are careless with their data security.  But recent market research showed smaller SMEs were unaware of the ICO’s new powers.

For Northern Ireland companies unsure about the changes in the law there is a conference next month that can help. 

The Legal-Island Data Protection & Compliance Update Conference takes place on Thursday 3^rdJune at Dunsilly Hotel, Junction One in Antrim.  The full day event aims to arm organisations with all the very latest information on how to comply with the new measures and avoid the substantial monetary penalties now in force.

The conference will break down the responsibilities of organisations when processing employee or customer data, explain the new penalties and advise on data storage or disposal.  The afternoon session is broken into three streams – Customer Data, Marketing Both Online and Offline and Human Resources.  Delegates can choose which stream will benefit them the most.

Conferences like this are very beneficial for organisations particularly management staff and those in charge of sensitive information.  As I have said many times it is vital to educate staff on data protection and it is the responsibility of management to initiate and then enforce security protocols in the workplace.

If that hasn’t sold you perhaps one of the speakers will.  Catherine Vint, a senior investigator in the Information Commissioner’s Office Northern Ireland will be addressing the conference.  Where better to get advice on how to avoid the £500k fine than from the ICO itself?

And if that still hasn’t sold you – we’ll be there!  DiskShred are one of the sponsors and we’ll be exhibiting at the conference.  If you have any questions about secure data destruction feel free to drop by and say hello. 

Full conference details and prices can be found here.

The big story of the three-day exhibition was the ICO Deputy Commissioner David Smith’s opening address to delegates.  Not only did he name and shame the NHS as the worst culprit for data breaches but he warned plans to make some data breach notifications mandatory in the UK as part of a wider European directive are afoot.

The ICO Deputy Commissioner David Smith

He said the European Commission review of data laws will mean huge changes for organisations whose data security has been breached.

“Breach notification is on the agenda”, said Mr Smith.  “It’s coming for telecommunications companies, and there’s no logical reason to confine it to them.”

The UK will have data breach notification laws for the telecommunications sector within 18 months and the ICO expects this to roll out to other business organisations.

But perhaps the most surprising part of Mr Smith’s speech was his remarks regarding the ICO’s new penalty powers.

He said: “We have got some more powers now and are no longer the toothless tiger or bulldog we have been described as”.

He told the audience of exhibitors and delegates that the ICO were ready and willing to hand out fines to organisations who deliberately breach the Data Protection Act.

In fact Mr Smith even called for prison sentences for professional data thieves, including private investigators and employees who sell valuable information.

I took some time out from our stand to sit in on the address and when Mr Smith asked for questions from the floor I took the opportunity to pose the final question.

In light of recent market research, which showed smaller SMEs were unaware of the ICO’s new powers, I asked Mr Smith if he was concerned about these findings and if they planned to target a couple of offending organisations soon to help publicise their new ’super powers’.

He replied that while they recognised the need to highlight the new powers to fine small businesses, they would not set out to target any one particular organisation.  However his earlier comments on the NHS might suggest otherwise.

No one knows when the ICO will strike but one thing is for sure, it will happen organisations will be fined, despite all the warnings from InfoSec exhibitors.

Over 12,000 people attended the three day event and our stand was busy throughout.  We got more than 500 entries to our iPad giveaway, which was won by Rob Howell-Jones.

The busy DiskShred stand at InfoSec Europe 2010

Information Security expert and well known blogger /author Brian Honan of BH Consulting dropped by the DiskShred stand.  He attended the InfoSec exhibition to sign copies of his new book Implementing ISO27001 in a Windows 7 Environment on the IT Governance stand – his book is a must for every information security practitioner’s technical library.

Also Peter Hayes from the CCTM Secretariat (Claims Tested Mark awarding body on behalf of UK Government CESG) visited our stand to congratulate us on prominently promoting the CESG Claims Tested logo on the stand header.

InfoSec gave us time to network and meet fellow information security Tweeters and bloggers.  We met Tim Schraider and Maritz Cloete, two directors of CS Risk Management & Compliance in London, who are avid followers of DiskShred’s comments on Twitter.  It was great to put a face to the profile!

All in all it was a worthwhile experience for the DiskShred team.  I can only hope events like InfoSec Europe succeed in educating staff from all sectors and business organisations about the importance of information security and data protection.

Check out pics of the event on the InfoSec 2010 Flickr group.

Celebrating 15 years in the industry, this event is by far the biggest in the information security calendar with exhibitors from all over the world displaying their products.

But that’s not all InfoSec has to offer.

Unlike other industry events, InfoSec offers a free Education Programme.  This includes seminars, workshops and round table discussions featuring talks from some of the most influential security experts in the world.

New to this year’s line-up are the Discussion Den and Security Workshops.  The Discussion Den involves an interactive panel session debating various topics including cybercrime and mobile security.  No doubt the Caretower IT Specialists talk on Tried & Tested Methods Of Securing Funding For Your Security Projects will be popular.

The eagerly anticipated Security Workshops are proving very popular with organisers asking people to pre-register to attend.  The four themes are Data Leakage Prevention, Global Corporate Challenges, Online Security and Threats & Mitigation. 

I hope to get the opportunity to hear the keynote address by Deputy Information Commissioner David Smith, where he’ll discuss the ‘ins and outs’ of the new £500k data loss fines.

I am well aware that I may be preaching to the converted but I can’t help stressing the importance of events like InfoSec.  The exhibition is designed to educate businesses on data protection in the hope that they will return to their offices armed with the information and contacts they need to implement a security structure.

However in some cases, the very people who should be attending to learn more about protecting their reputation and their clients’ privacy are the ones who are probably careless about personal identifiable information and are likely to get hit with the wrath of the ICO.

So if you want to avoid a nasty fine, speak to the experts at InfoSec Europe…

And if you want to win a brand new Apple iPad visit us at stand E64!

Hope to see you there.

It’s time to wake up and smell the coffee – the ICO is ready, willing and able to impose these fines.  Do you want to incur the wrath of the ICO?  I didn’t think so. 

We are a leading on-site data disposal service with over nine years experience of secure data destruction so we know a little something about information security.  We have put together a guide to help businesses get their house in order and avoid a hefty fine.

1. First things first organisations need to be aware of the importance of data.  Whether it is trade secrets or personal customer information, a data breach can cause serious damage to a business – and not just financially.  When trust is lost it can be extremely difficult for a company to repair its reputation and this affects future business prospects.  Losing information is very serious, be aware of that.
2. There are some people out there who think the ICO won’t enforce the new powers but don’t be misled.  The new Information Commissioner Christopher Graham is poised to pounce.  He said: “Getting data protection right has never been more important than it is today…I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
3. As I have talked about before, all staff must be educated on the importance of data protection.  Careless staff can cost a business dearly, security protocols must be in place to ensure the protection of information.  Just last month the personal details of 9000 school children were compromised after unencrypted CDs and USB sticks were stolen from a council employee’s home.  Fortunately for the council the incident occurred before the ICO powers came into force and they avoided a substantial penalty.
4. And that goes for the big wigs too.  There has to be corporate compliance to ensure a data loss does not occur.  The top dogs in any company must also take these measures seriously.  However as the recent Ponemon study revealed, that is not always the case.  The survey found that 53 per cent of British business managers have disengaged the encryption on their laptops.  This is hardly a good leadership example to set for their own staff.
5. The best way to know if your data protection policies are up to scratch is to test them.  Give your procedures a complete overhaul to ensure your data security and breach policies are running smoothly.  This includes website privacy, internal data, data retention, data disposal, portable information and the use of third parties.
6. When outsourcing services to a third party, whether it’s for hard drive shredding or encryptions, make sure all contracts meet your data security policies.  Ask the contractors for proof of pre-employment screening and 5-year security background checks (in compliance with BS7856:2006).  Also ask for proof that the chosen data destruction company is accredited to BSEN15713:2009 for Secure Destruction of Confidential Media or holds a CESG CCTM accreditation from the UK Government.
7. These days data can be stored on the smallest of devices.  CDs, USBs, PDAs and even Smartphones store an enormous amount of information but they are easily misplaced and could fall into the wrong hands.  It is important for businesses to enforce ‘don’t take home’ policies with staff to avoid loss or theft, and when these devices are deemed redundant dispose of them correctly, guaranteeing all data has been destroyed.
8. Greening your office is good for the environment but before donating old computer equipment make sure it has been professionally wiped and overwritten using software that meets an accredited standard, such as the CESG InfoSec IA Standard 5, otherwise significant data could end up in the wrong hands.  This point has been championed by European Data Protection Supervisor Peter Hustinx, who warned the EU’s proposal to recast the old WEEE (Waste Electrical and Electronic Equipment) Directive focuses too heavily on the environmental issues. He said: “It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment. Respect for security measures and a ‘privacy by design’ approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data.”
9. Trusting an outsider to dispose of data storage devices can be difficult for some companies.  Take control of your data disposal and insist on witnessing the destruction.  That way you know the job has been done.
10. Finally, information security is an ongoing process.  This isn’t a Spring clean quick fix.  Businesses need a long-term strategy to keep them and their customers secure.  I know it might sound like a broken record but it’s better to be safe than sorry, particularly when potentially up to £500k is at stake.

To discuss this further, we’ll be taking a stand at InfoSecurity Europe at Earl’s Court in London from 27^th – 29^th April.  Visit us at stand E64.

And we don’t think for a second that these sacred facts will be left on a train or posted to someone else’s address.

Are we to blame for being naive?  No we aren’t.  We take businesses into our confidence when we share this information and they are supposed to value this as much as we do.

Organisations aren’t putting enough effort and funds into the protection of personal information.  In the last few months alone details have emerged of new data leaks from city councils, hospital trusts, banks, lawyers, the Student Loans Company and even MI5.

From laptop theft through to careless disposal policies, it is clear many companies are leaving the protection of data to chance.

In response to this, the Information Commissioner’s Office issued The Privacy Dividend report, urging businesses to be proactive and invest in data protection protocols.

This is a complete turnaround.  At last there is a business case justification for proper investment in privacy protection rather than reactionary spending after the fact.

The report details a plan for businesses to assess and implement a protection plan for their data, whether it’s the calculation of the value of personal information to the benefits of privacy protection.

But these protections must be built into the company’s core business.  There are no halfway measures when it comes to protecting private information.

Having preventative measures in place will not only improve your compliance with the law but will also promote loyalty and reduce potential financial risks.

Trust is a tricky business – when you have it it’s invaluable but when you lose it, it’s nearly impossible to get back.

Many businesses find themselves with an abundance of documents, both hard copies and electronically stored, with no idea when they should get rid of them.

Offices become cluttered with paper, files, computers and CDs with no end in sight.

But there is light at the end of the chaotic tunnel.

The British Security Industry Association (BSIA) guidelines suggest businesses should put in place a records management system to dispose of data without risk of loss.

Some documents, like company registers need to be kept for the lifetime of the organisation, whereas VAT personnel records should be properly disposed of seven years after termination of employment.

This is why it is important to take the time to make staff aware what can be retained and for how long.  Educating employees on data loss prevention will go a long way in saving the organization money and time.

The BSIA recommend putting a policy in place for secure shredding and recycling for company records, and obtaining an approved service provider.

There are no more excuses for stockpiling those old PC’s.  It’s time to quit hoarding and spring clean your records.  Just remember, get them all professionally shredded, safely file the Certificate of Destruction and win back all that space.

Well believe it or not that’s what a senior partner of a small investment firm did.  Without knowing what software his teenage son used or if it had even worked, he sent the computers off into unknown hands.

Many organisations have their own unique methods of destroying private electronic data but in this age of information and technology simply hitting the delete key will no longer suffice.

Recycling old computers may help the environment but if you haven’t wiped the hard-drive correctly you may find important information ends up in the hands of fraudsters.

Computers, hard drives and other devices need to be destroyed properly.  This requires technical knowledge and the appropriate software to erase all traces of data.

There are many businesses out there that previously relied on the trusty hammer to destroy all traces of data, but are now unsure of what to do with old computers and equipment.  Sorry folks, stock piling is not the answer.

According to a recent report by the Financial Services Authority, too many organisations were not disposing of customer data correctly.  Examples of bad practice included the stockpiling of obsolete computers and other portable media for too long and in insecure environments.  Firms were also relying on others to destroy the materials without proof it was carried out correctly.

In many of these cases, ignorance is bliss but in the current economic climate, companies can’t afford to leave data disposal to chance.

Such details are potentially lucrative in the hands of criminals, so the public expects them to be treated with care and respect.

But if the information is disposed of carelessly and customer trust abused, the company in question stands to lose considerably in terms of damage to its brand and loss of reputation.  A good name can be a company’s most important asset – and take years to build. 

Lose your good reputation and potentially you could lose your company.  And that in turn impacts upon the people who work for you and your customer base.

To avoid this, public and private sector organisations must treat the protection of

customer data with the utmost seriousness.  And when that information becomes obsolete, those organisations are obliged to dispose of that same information with equal fastidiousness.

How we permanently dispose of redundant I.T. equipment is now governed by the EU’s WEEE Directive, but disposal of the data on the hard drives is not.

Up until now, we had to rely on companies performing their ‘duty of care’ under the Data Protection Act and handling such disposal responsibly – but there was little incentive to do so, outside of an organisation’s own sense of obligation.

However, from April, the Information Commissioner’s Office (ICO) will have new powers to fine organisations up to £500,000 for “deliberate or negligent” breaches of personal data.  

Responsible organisations must put proper data disposal policies and procedures in place now – not just to avoid the wrath of the ICO but also to protect their businesses and livelihoods.