Welsh Police £160k Data Breach - 'no brainer'

Welsh Police £160k Data Breach - 'no brainer'

What Happened?

This week the ICO has fined the Welsh Police for losing a video recording which formed part of the evidence in a sexual abuse case. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer. South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

Five minutes on a 'well known search engine', and I was able to find a FIPS 140-2 256-bit AES DVD encryption solution being sold for $2.75 per disk. Even if you did the usual (annoying) £/$ conversion, £2.75 per disk doesn't seem a great deal considering the £160k fine and the potential costs involved in legal cases being dropped because of lost data.

Doing the 'math' SW police could have purchased 29,000 disks for the cost of the fine. Depending on compression ratios, there's about 2 hours of video per disk, which equates to 58,000 hours, 2,417 days or just over 6 and a half years of interview!

The Law says:

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and the nature of the data to be protected.

Conclusion

No brainer