Recent data breaches suffered by two education organizations in the U.K. have led the country's regulatory watchdog to call for better data protection measures and the use of encryption for all personal information.
According to the Information Commissioner's Office, the Association of School and College Leaders and Holly Park School were both the victims of data breaches this summer when laptops containing encrypted data were stolen from the two organizations.
The ICO revealed that a laptop was stolen from an unlocked office at Holly Park School in Barnet. The laptop reportedly contained unencrypted information on several students, including names, addresses, grades and some health information.
Shortly thereafter, the ASCL, a union for British teachers and educational professionals, may have compromised the information of about 100 of its members when a laptop was stolen from an ASCL employee's home. The unencrypted data on the laptop included membership details as well as information about mental and physical health on some individuals.
Both organizations have been accused of violating the U.K.'s Data Protection Act for failing to protect sensitive information stored on their IT networks. Specifically, the ICO said the lack of data encryption has put individuals' information in danger of being misused.
"The ICO's guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted," said Sally Anne Poole, head of enforcement at the ICO, in a statement.
These breaches mirror a previous incident that occurred in 2007, when, according to an IT Pro report, the U.K.'s tax collection department, HR Revenues and Customs, suffered a breach stemming from the loss of two disks containing personal and financial information on some 25 million people. That event too sparked criticism from the ICO and an investigation from the Metropolitan police.
The use of data encryption is less complex than some other data security measures, but it can provide significant benefits when properly implemented. By requiring some form of authorization to open files or documents, encryption can be utilized as a simple yet effective way to keep unwanted visitors and intruders away from sensitive corporate data.
However, according to CSO Online, a 2010 study found the large majority of organizations fail to utilize any sort of encryption. The study, which surveyed more than 200 IT security administrators, found that 70 percent of companies do not use data encryption on their laptops, and 87 percent do not encrypt USB or other portable devices.
As the ASCL and Holly Park School discovered, this lack of encryption can put personal information in harm's way, which, in turn, can lead to identity theft for the individual and sanctions and reputation damage for the organization. To avoid such incidents, it is important that organizations do what they can to keep information out of the wrong hands.
Security News from SimplySecurity.com by Trend Micro