When is an encrypted laptop, not an encrypted laptop?

Its logged off, but is it encrypted?

If you have an encrypted business laptop, does that mean it’s totally safe and therefore if you lose it, then it doesn’t really matter because of the encryption?

Erm, well not necessarily. In fact, you will be surprised to discover when your encrypted laptop in, in fact, encrypted!

First let me explain the reason I bought this up. I read an article in SC Magazine today, about a Scottish QC who had the misfortune to have her business laptop (unencrypted, we believe) stolen from her home whilst she was on holiday. You can read the story here.

The laptop apparently contained personal details of individuals involved in eight court cases, that Ruth Crawford, the unfortunate QC in question, was involved with. Clearly, this is highly sensitive information, and is a situation that all legal professionals would be horrified to find themselves in.

Kevin Macdonald from the Scottish Information Commissioners Office (ICO) who investiagted this data breach, took the opportunity  point out that this was “a warning to other legal professionals” and that ” it’s not just about being served with a penalty of up to £500,000, it could affect (their) careers too.” On this occasion the QC concerned was not issued with a financial penalty, as the theft occurred prior to April 6 2010, the date the ICO was given the power to fine for serious breaches.

At the moment, the ICO does not have the power to force mandatory disclosure in such cases, but it is in their sights. The statement relating to this incident included this comment, “The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible”. If you have read any social media and press commentary on the subject of mandatory disclosure, you will know it feels like a matter of time. So are we saying that encrypted laptops are the way forward for the legal professions? Many already use them as a matter of course. Well, its one possible solution to a security issue..

In this case the laptop was apparently unencrypted, perhaps not a good start. However, it was in her home and she was away from home, on holiday. Perhaps a simple approach would have made its lack on encryption less of an issue. By locking it away at her office during non work hours and particularly during annual leave, as a matter of good security policy perhaps?

One common misconception about encrypted laptops is that… well, it’s always encrypted and so therefore the possibility of losing it is not a huge issue. This is not the case and a laptop is only encrypted if it is totally powered down. Being logged off is not enough, it is not encrypted – even at that stage.

Whilst the article in SC Magazine finishes with a helpful quote from an encryption software producer on self encrypting drives, it doesn’t address the underlying issue that it doesn’t matter how good the encryption is if your security policy, staff security education and ongoing review process, is not robust. Relying on technology in isolation, can make staff complacent and make dangerous assumptions, such as if your laptop is encrypted then you have nothing to worry about.

So, when is an encrypted laptop, not an encrypted laptop? Pretty much most of the time actually.

www.advent-im.co.uk

Independent Information and Physical Security Consultants

ABS – threat or culture change?

Will non legal ownership pose a threat to client data security?

Smaller practices may now have to start looking to attract more business or corporate-style clients as ABS opens the door for a whole new way for clients and potential clients, to consult the legal profession. Traditional clients for these practices may shift into the new approach. Whilst the business impact for the unprepared practice, may seem quite clear, there are other implications for private and business clients who decide to go the route of the ABS. There is also an opportunity for legally owned pratices to distinguish themselves and their offering further by leveraging a culture they already operate in.

We know that Solicitors have always taken security and Data  Protection very seriously. We have interacted with legal firms and this commitment to the safe storage, transfer or disposal of their valued clients’ highly personal information is reassuring. That is because it is part of legal  culture; its tradition. What will happen when the shape of the profession changes through ABS? To answer this we needed to know what kind of organisations are showing an interest in this opportunity and how that will feed down, culturally through new-style practices.

We also need to know how the PLC Legal as opposed to  the LLP, will look or feel once the impact of change really starts. Time will tell but for the moment, we are  assuming it will be a lot more online, one size fits all solutions along the  lines of the ‘no win no fee’ offerings already available.  Maybe there will be a grouping of services  with Insurance and Accountancy etc. potentially offering a one stop shop for services.

Going back to our question of what the impact will be, what disturbs us, as Security consultants, is that while the  Legal Profession has barely attracted a raised eyebrow from the ICO in terms of data breaches, other industries such as Insurance and Banking, have been marked out for consistent data breaches and bad practice.

Readers of our Gambling blog (www.adventimforgambling.wordpress.com)
will also know that we have discussed the loss of 3.15m credit card account
details at Betfair.com, six months prior to its float. We hope that the change
in legal business model will not negatively impact this culture of security within
the profession. Given the involvement of ‘non-legal culture ownership’, online
presence (and presumably payment) and the now well explored corporate
difficulty with data security, it’s not difficult to be concerned.

According to www.legalfutures.co.uk  18.10.11, seven major brands are poised to
enter the UK legal market. One of the speakers at the Legal Futures Conference,
Andy Wigmore, policy director of the Claims Standards Council, revealed that he
is a director of a hedge fund which “has been hovering” over the personal
injury market. The fund is poised to back a claims management company and make
“some very strategic investments and acquisitions of very niche law firms”.

He said the claims management companies in which the fund  has – or is soon to have – an interest, have “mature, refined, technology-driven, efficient processes” and the companies have already built “direct and strong  relationships with brokers and insurers”.  Hopefully not ones that have data breach issues and are being singled out for criticism by the ICO. With the change in culture, comes responsibility and data protection may well prove to be a point of distinction for practices that need to distinguish themselves from the new breed.

Watch this blog and send us your thoughts.