Being in the same frame of mind at the time I had rather guessed that.
In response to the points raised:

Did the organisations working methods require that the personal data was
worked on out of office hours in order to meet schedules, or was advancement
contingent upon putting in above average quantities of work, normally
achieved outside of office hours but measured as within?

The MOD case, as you say, involved an element of neglect as the laptop was
left in a taxi, that seems somewhat different to one secured in a home which
was burgled.

Why should any messenger identifying an organisational weakness be shot for
suffering a house burglary, a vehicle collison, a mugging, or any of the
other multitude of incidents which could result in some type of unforeseen
data loss?  Better in my view for any business to have catered for those
risks in advance. You are correct though questions of negligence can arise.

Issues which will certainly need re-appraisal in light of that case
include:-

Were the business security policies being adhered to. If not why not, what
alternatives were available, and what pressures caused them not to be?
Weak risk analysis? What action can be taken to improve the risk analysis
decision process?
Financial constraints reducing available security factors? How will the
financial decision making process be improved? (apart from being informed in
an overtly machiavellian way by the Nationwide scenario.)
Poor IT resources and data management. How can the learning curve for
responsible managers be increased?
Many other questions also exist.

Where a business allows or promotes home working (either overtly or
covertly) it would be interesting to contrast outcomes from any homework
security breaches with the answer to a question about the outcome from a
similar breach occurring on business premises.

I am sure the management answers to all of those issues will be dependent on
many things and may vary from terror tactics of various kinds through to the
more constructive understanding approaches. No doubt everyone will make
their own interpretive choice suitably informed by reference to their
individual situation and knowledge set at the end of the day.

Ian w


Date:    Tue, 20 Feb 2007 13:37:44 -0000
From:    Antoinette Carter <[log in to unmask]>
Subject: Re: FW: Personal data loss - One Million Pounds fine

To a certain extent, I'm playing "devil's advocate" here.
I agree that advising rather than chastising is, generally speaking, the
most effective tactic in this situation. But.... (you knew there would be a
but!)....., it's not rocket science to realise that holding thousands of
society members details on a laptop is an entirely avoidable security risk.
If a doctor kills someone due to medical negligence, they get struck off. So
I say, a Building Society manager not securing members information should be
sacked. Admittedly it's not as bad as the guy from the MOD who left his
laptop full of the nation's security plans in the back of a taxi after a
night on the **** (I wonder whatever happened to that guy......?)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^