- Its logged off, but is it encrypted?
If you have an encrypted business laptop, does that mean it’s totally safe and therefore if you lose it, then it doesn’t really matter because of the encryption?
Erm, well not necessarily. In fact, you will be surprised to discover when your encrypted laptop in, in fact, encrypted!
First let me explain the reason I bought this up. I read an article in SC Magazine today, about a Scottish QC who had the misfortune to have her business laptop (unencrypted, we believe) stolen from her home whilst she was on holiday. You can read the story here.
The laptop apparently contained personal details of individuals involved in eight court cases, that Ruth Crawford, the unfortunate QC in question, was involved with. Clearly, this is highly sensitive information, and is a situation that all legal professionals would be horrified to find themselves in.
Kevin Macdonald from the Scottish Information Commissioners Office (ICO) who investiagted this data breach, took the opportunity point out that this was “a warning to other legal professionals” and that ” it’s not just about being served with a penalty of up to £500,000, it could affect (their) careers too.” On this occasion the QC concerned was not issued with a financial penalty, as the theft occurred prior to April 6 2010, the date the ICO was given the power to fine for serious breaches.
At the moment, the ICO does not have the power to force mandatory disclosure in such cases, but it is in their sights. The statement relating to this incident included this comment, “The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible”. If you have read any social media and press commentary on the subject of mandatory disclosure, you will know it feels like a matter of time. So are we saying that encrypted laptops are the way forward for the legal professions? Many already use them as a matter of course. Well, its one possible solution to a security issue..
In this case the laptop was apparently unencrypted, perhaps not a good start. However, it was in her home and she was away from home, on holiday. Perhaps a simple approach would have made its lack on encryption less of an issue. By locking it away at her office during non work hours and particularly during annual leave, as a matter of good security policy perhaps?
One common misconception about encrypted laptops is that… well, it’s always encrypted and so therefore the possibility of losing it is not a huge issue. This is not the case and a laptop is only encrypted if it is totally powered down. Being logged off is not enough, it is not encrypted – even at that stage.
Whilst the article in SC Magazine finishes with a helpful quote from an encryption software producer on self encrypting drives, it doesn’t address the underlying issue that it doesn’t matter how good the encryption is if your security policy, staff security education and ongoing review process, is not robust. Relying on technology in isolation, can make staff complacent and make dangerous assumptions, such as if your laptop is encrypted then you have nothing to worry about.
So, when is an encrypted laptop, not an encrypted laptop? Pretty much most of the time actually.
Independent Information and Physical Security Consultants
Security for UK legal professionals 