1 December 2011

Keeping the Information Commissioner off your back

The recent case of a Scottish advocate’s stolen, unencrypted laptop raises some important questions regarding data controller responsibility, portable media (not just laptops) and the options available for securing such media, explains Matt Torrens

When a barrister or solicitor is viewed as a data controller, they must comply with a number of duties: “It is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.”

Within a solicitors’ firm, the approach towards portable media security is often addressed centrally, with little or no choice given to fee-earners or staff. In chambers, however, it is not so straightforward. With each member of chambers being self-employed, the question of mobile data security is often left to the individual.

Pursuant to the seventh data protection principle, members of chambers must ensure that they protect data to which the Act applies using an appropriate level of security given the nature of the data and the harm that might result from unauthorised processing or loss. Whilst much of the data held by members of chambers is not remotely sensitive and may not be covered by the Act at all, some undoubtedly is. Centrally, chambers will not know who has what data at any given time or how sensitive that data might be.

A useful approach, therefore, is for chambers to provide an infrastructure that offers an adequate level of security. It must be the responsibility of individuals to consider data sensitivity in respect of each case and to seek advice from the IT department/consultancy as appropriate. Remember, this is in relation to portable media only – encrypted e-mail and other central security policies (such as anti-virus, firewalls and passwords) should be controlled centrally and form part of a layered approach to information security.

What can be used? Products are relatively cheap and simple to manage. There is some inevitable capital expenditure required, though this is likely to be fairly low. With a little effort, you can have a compliant, inexpensive, non-intrusive and completely scalable solution for mobile media security.

Encryption

There are many encryption products on the market but we would suggest the chose product is:

• FIPS 140-2 compliant – ensures that the product meets the required standard of encryption levels.
• Present on the Treasury Solicitor’s guidance list, as agreed with the Bar Council.
• Centrally managed, meaning the encryption, decryption and storage of encryption keys is secure and backed up

Remote track and wipe

In addition to the pre-boot authentication products, it is possible to install an agent (that cannot be removed) in the BIOS of a laptop that enables the scheme administrator to:

Send a remote ‘lock’ command to the laptop.

Send a remote message to the laptop to display on the screen to encourage its return.

Track the laptop using wireless triangulation and geotechnology.

Create rules to alert you, for example, when a laptop leaves a geographical boundary, or when the operating system is reinstalled.

Send a remote wipe command and even receive a log of the files that have been deleted as the hard drive is purged

USB sticks

With your laptops safely encrypted and the ability to remote wipe, the last major data leak via portable media is from USB drives. The simple solution is to purchase hardware encrypted USB drives. The managed version of the devices can also be remotely wiped if lost or stolen. In the case of chambers, a stock of encrypted USB drives could be held centrally, ready for use as and when the data controller deems necessary.

Matt Torrens is a director legal IT company SproutIT

Tags: data protection