Last year in November, UK’s HM Revenue and Customs lost the personal records of 25 million people. In order to prevent future such losses, they will rely on 37 employees who’s role would be to protect data. According to a parliamentary written answer by Jane Kennedy, financial secretary to the Treasury, quoted by the Register, the goal for the data guardian appointed to each business unit “to strengthen the management of the department’s data assets”.

The information was lost while being transfer through postal services on unencrypted computer disks. How about portable storage devices with encryption? Wouldn’t that be cheaper than paying the salaries of 37 people?

As we can tell from the article published by the Register, other governmental agencies also rely on work force to protect data:

In response to another written question connected to the child benefit data loss, the Department for Work and Pensions said it provides data to the National Audit Office using “rigorous courier arrangements and a requirement that physical transfers of data must have the specific authority of a member of the senior civil service”, according to Anne McGuire, minister for disabled people.

Two years ago, a major security breach was reported by the US Department of Veterans Affairs. At the time, a laptop containing private data on an extremely large number of veterans had been stolen. Following the incident, strict guidelines were established in order to protect personal information and prevent such thefts and exposures from happening.

According to the Register, two years was not enough time for government agencies to implement the guidelines and comply with their security requirements.

According to a report issued by the Government Accountability Office (GAO) today, a number of agencies fell short on recommendations for securing databases, remote access, and mobile devices. All of the agencies received a downgrade in their scores for e-government progress on the President’s Management Agenda Scorecard

Of the 24 major agencies audited in the report, only 11 had established policies for logging data extracted from agency databases and for erasing the data within 90 days of extraction. Only 15 agencies had established a “time out” function for remote and mobile devices that requires user re-authentication after 30 minutes of inactivity.

The same report has revealed that 25 other security breaches occurred in a three year interval – 2004-2007 – three of them exposing private records of more than 100,000 individuals. It also states these are only the breaches accounted for, but the actual number might be far greater.

An NHS hospital in Dudley reported the theft of a laptop containing the personal information over 5,000 patients. Although the theft in question happened in January, word of it got out only later, when the Dudley Group of Hospitals announced all affected patients.

According to an article published by Vnunet.com, the laptop was properly secured, requiring a password to login and a different one for the actual database containing patient personal details. The article further shows that NHS blames the large number of people going in and out of a public hospital for the theft, claiming that the security is a major concern. The company has spent quite some money on data encryption but apparently they should have tried to complete the process sooner:

“We take precautions to try to protect all the IT equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security.”

Farenden said that the trust is in the process of rolling out encryption technology, following a £135,000 spend on data security. However, the laptop in question had not been upgraded before it was stolen.