Welsh Assembly Government staff have had 54 laptops and mobile devices lost or stolen over the past two years, according to the results of a request under the Freedom of Information Act 2000 (FOI) revealed on Thursday.

The losses are the latest to come to light amidst growing concern over the potential loss of sensitive information due to data security breaches by public and private-sector bodies. The Information Commissioner’s Office (ICO) has taken an increasingly active role in highlighting such concerns, and in January gained powers to fine organisations up to £500,000 for failing to adhere to data security regulations.

A FOI request by German encryption provider GSMK found that 24 office-issue laptops and 30 mobile devices, including mobile phones or smartphones, had gone missing from Welsh Assembly Government staff over the past two years. The equipment was valued at £21,000 in total, GSMK said.

Sensitive data

Three laptops and four mobile devices were subsequently returned, according to GSMK. The government has issued a total of 2,300 laptops and 2,950 mobile devices to staff, the majority of the mobile devices being mobile phones.

“Government laptops and phones contain a wealth of sensitive information and losing just one device is the equivalent of losing a whole filing cabinet of confidential data,” said GSMK chief executive Dr Bjoern Rupp, in a statement.

Last month the ICO reprimanded Yorkshire Building Society after an unencrypted laptop loaded with part of the customer database and complete with passwords was stolen from a company office.

Earlier in August, Zurich Insurance was hit with a record fine of £2.28 million by the Financial Services Authority (FSA), after its sister company Zurich South Africa lost an unencrypted backup tape containing the financial personal information of around 46,000 policy holders.

The ICO has warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their own volition.

The ICO has as yet issued no fines, but has publicly criticised a number of private- and public-sector bodies that have been subject to data breaches.

In June the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

UK breach notification laws on the way

Public-sector organisations are currently obliged under UK law to report any significant actual or potential losses of data to the ICO. For private-sector organisations, however, such reporting is merely “a matter of good practice”, according to a government report published in November of 2008.

At that time the government ruled out introducing laws for mandatory private-sector data breach notification, of the kind that have been introduced in the US.

“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” stated the Ministry of Justice in its Response to the Data Sharing Review Report.

However, that situation is due to change beginning next year for telecommunications companies. Under the EU’s Telecoms Reform Package, agreed upon by the European Parliament and the Council of Ministers in 2009, European telecommunications companies will be obliged to inform regulators of serious data breaches.

Those changes are due to be incorporated into UK law by the end of 2011, the ICO said at the Infosecurity Europe 2010 conference in April.

Private-sector organisations targeted

In addition, the EU has said it is planning to expand the scope of the regulations beyond telcos. In the Digital Agenda plan, introduced in May, the EU said it was planning to expand the rules in order to fight cybercrime and encourage users to trust online services.

“The ongoing review of the EU’s general data protection framework will… explore a possible extension of the obligation to notify data security breaches,” the EU said in the document.

The European Parliament had pushed to include providers of “information society services”, such as banks and health services providers, in the 2009 reforms, but the European Commission and the European Council rejected that idea at the time.

The changes are part of plans to reform European privacy laws announced by the European Commission in February. The reforms will aim for what information society and media commissioner Viviane Reding called a “clear, modern set of rules for the whole EU”.

Matthew Broersma

View Comments

  • Data loss and theft is rapidly becoming the centre of attention for IT security policies as data is increasingly available irrespective of location. However, some simple and cost effective measures provide a very good first level of protection.

    Examples are
    - use a strong password for all your devices....and bother to change it every now and again
    - keep your devices charged, and charge them in a secure place (home, car, office) to avoid having to leave them unattended in a hotel or with someone else
    - don't forward information on to a private e-mail address
    - Don't display your phone / laptop in your car
    - Don't keep your mobile phone where pick-pockets have easy access to
    - if possible use devices that can be remotely wiped (e.g. BlackBerry) in case of loss or theft
    - Protect your device from drops and bumps (eg. OtterBox cases) to avoid having to repair or chuck it...with all the data on board...
    - Use a two factor authentication device, such as the BlackBerry Smart Card Reader for optimal protection
    - use hands-free solutions to talk as it will keep both hands free to hold on to bags, laptop cases etc. and thus making it more difficult to be pinched
    - use a device like "Blue Watch Dog", which can be placed in a laptop bag and will ring your mobile as soon as it is out of bluetooth reach...an early warning sign when your laptop has gone walkies or you left it behind.

    Good luck, everyone.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago