Welsh Government Loses Devices Worth £21,000

Welsh Assembly Government staff have had 54 laptops and mobile devices lost or stolen over the past two years, according to the results of a request under the Freedom of Information Act 2000 (FOI) revealed on Thursday.

The losses are the latest to come to light amidst growing concern over the potential loss of sensitive information due to data security breaches by public and private-sector bodies. The Information Commissioner’s Office (ICO) has taken an increasingly active role in highlighting such concerns, and in January gained powers to fine organisations up to £500,000 for failing to adhere to data security regulations.

A FOI request by German encryption provider GSMK found that 24 office-issue laptops and 30 mobile devices, including mobile phones or smartphones, had gone missing from Welsh Assembly Government staff over the past two years. The equipment was valued at £21,000 in total, GSMK said.

Sensitive data

Three laptops and four mobile devices were subsequently returned, according to GSMK. The government has issued a total of 2,300 laptops and 2,950 mobile devices to staff, the majority of the mobile devices being mobile phones.

“Government laptops and phones contain a wealth of sensitive information and losing just one device is the equivalent of losing a whole filing cabinet of confidential data,” said GSMK chief executive Dr Bjoern Rupp, in a statement.

Last month the ICO reprimanded Yorkshire Building Society after an unencrypted laptop loaded with part of the customer database and complete with passwords was stolen from a company office.

Earlier in August, Zurich Insurance was hit with a record fine of £2.28 million by the Financial Services Authority (FSA), after its sister company Zurich South Africa lost an unencrypted backup tape containing the financial personal information of around 46,000 policy holders.

The ICO has warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their own volition.

The ICO has as yet issued no fines, but has publicly criticised a number of private- and public-sector bodies that have been subject to data breaches.

In June the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

UK breach notification laws on the way

Public-sector organisations are currently obliged under UK law to report any significant actual or potential losses of data to the ICO. For private-sector organisations, however, such reporting is merely “a matter of good practice”, according to a government report published in November of 2008.

At that time the government ruled out introducing laws for mandatory private-sector data breach notification, of the kind that have been introduced in the US.

“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” stated the Ministry of Justice in its Response to the Data Sharing Review Report.

However, that situation is due to change beginning next year for telecommunications companies. Under the EU’s Telecoms Reform Package, agreed upon by the European Parliament and the Council of Ministers in 2009, European telecommunications companies will be obliged to inform regulators of serious data breaches.

Those changes are due to be incorporated into UK law by the end of 2011, the ICO said at the Infosecurity Europe 2010 conference in April.

Private-sector organisations targeted

In addition, the EU has said it is planning to expand the scope of the regulations beyond telcos. In the Digital Agenda plan, introduced in May, the EU said it was planning to expand the rules in order to fight cybercrime and encourage users to trust online services.

“The ongoing review of the EU’s general data protection framework will… explore a possible extension of the obligation to notify data security breaches,” the EU said in the document.

The European Parliament had pushed to include providers of “information society services”, such as banks and health services providers, in the 2009 reforms, but the European Commission and the European Council rejected that idea at the time.

The changes are part of plans to reform European privacy laws announced by the European Commission in February. The reforms will aim for what information society and media commissioner Viviane Reding called a “clear, modern set of rules for the whole EU”.