digital knowledge. digital culture. digital memory.

12.7.07

What was on the laptop?


New to this blog? Why not subscribe to its feed or sign up for free email updates?


Nobody likes to loose something that costs two or three thousand dollars, which is the typical cost of a laptop these days. However, when a laptop goes missing from an important government office, the replacement cost should be the least of anyone's worries. Technology can be replaced but the damage done by stolen information can be irrevocable.

Sometime during the afternoon or evening of Friday, July 6, 2007, a laptop, a mobile phone, and other items, possibly including a USB cable, went missing from the Office of the Prime Minister in the Government building in Suva. This fact has been widely reported on by all major media outlets in Fiji. Commentary from government officials, police, and journalists seem to focus on outrage that the PM's office was violated and the new security measures being put in place to ensure that this incident is not repeated in the future. This reaction can be summed up by comments from former Prime Minister Rabuka carried by the Fiji Times.

The theft from the Prime Minister's Office was tantamount to sacrilege and a serious crime against the State, said former Prime Minister Sitiveni Rabuka yesterday. He said such a breach of security never happened during his tenure and it pointed to the need to upgrade security.
[Security concern in the PM's office, Fiji Times, 11/7/2007]
However, the question that no one is asking is, what was on the laptop? What information from the highest office in the country is now "in the wild"? What government information may be lost forever if the laptop was not recently backed up?

Shortly after I arrived in Fiji approximately one year ago, the theft of a government laptop from an employee's home was reported in my home town of Edmonton, Alberta, Canada. It turns out that this laptop contained mental health information for over a thousand patients in the Province of Alberta. Neither the laptop nor the data were recovered.

What motivated a government investigation resulting in a twelve page public report into this incident was not the question of whether the employee or her employer failed to adequately protect public physical assets, i.e. the laptop. The government inquiry was focused on whether the employee or her employer failed to adequately protect confidential patient data. The investigation found that the employer, a regional health management organization, had failed in its responsibilities - chiefly through having inadequate policies in place - and was required to inform all 1000+ patients that their files had been compromised.

The investigation report went on to make the following general recommendations to all government departments in the province of Alberta who use mobile computing equipment such as laptops.
  • Perform a Privacy Impact Assessment (which should include an assessment of security risks) before implementing mobile computing.
  • Do not store personal or health information on mobile computing devices unless you need to – consider technologies that allow secure, remote access to your network and data instead.
  • If you must store personal or health information on a mobile device, use encryption to protect the data – password protection alone is not sufficient.
  • Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
  • Periodically check your policies against practice to ensure they reflect reality and remain effective.
  • Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.
[Information and Privacy Commissioner of Alberta, Report of an Investigation Concerning a Stolen Laptop Computer, December 5, 2006 - pdf file]
These recommendations are valuable to all organizations with sensitive information stored on laptops and other mobile devices, both in the public and private sectors. Organizations in Fiji would do well to consider adding similar provisions to their information security policies. You do have an information security policy, right?

Photo by: Filipe Morin

4 comments:

thrashor said...

Police now report that the stolen laptop has been recovered and they are questioning a suspect in connection with the theft.

thrashor said...

See the Fiji Times http://www.fijitimes.com/story.aspx?id=66321

Wilson said...

I'm sure as hell World of Warcraft was on that laptop! :P

Anonymous said...

clearly local pr0n XD