Is the Data Protection Commissioner doing the job?

probe

Questions:

One assumes that Bord Gáis is registered with Data Protection? If so:

1 Does Data Protection (www.dataprivacy.ie) require holders of personal information to encrypt data?

2 Does Data Protection impose basic standards for encryption of personal data? (eg minimum password size and complexity, requirements for multi-factor authentication, minimum encryption standards etc). Poor passwords are easily cracked by password “recovery” services*. When I hear reporters say "the stolen laptops where encrypted, so everything is OK" it makes me laugh!

3 Does Data Protection require the installation of anti-theft software on devices that store high value datasets of personal information? (eg software – preferably a rootkit – that calls home over the internet to report its location and ideally is capable of taking instructions to wipe files after being reported stolen). Large valuable datasets (eg utilities databases containing customer co-ordinates and banking/bank card details of over a specified number – perhaps 50,000 customers) should not be permitted to be copied to portable devices or removed from a secure environment.

4 What fines and other penalties are and have been imposed on negligent companies in the past?

5 Is there any point in having a Data Protection Commissioner bureaucracy given the frequent disappearance of unencrypted personal datasets on portable devices used by Irish companies?

*eg: www.lostpassword.com

www.siliconrepublic.com/news/article/13218/cio/75-000-customers-bank-details-on-stolen-bord-gais-laptop

podgeen

Hi Probe,

I would be interested in hearing answers to your questions. I have another question to add to the list -

Has any organisation ever been prosecuted for breach of the data protection act?

I raised this question in a blog post on about the Bord Gáis breach earlier today.

probe

podgeen wrote: »

Hi Probe,

I would be interested in hearing answers to your questions. I have another question to add to the list -

Has any organisation ever been prosecuted for breach of the data protection act?

I raised this question in a blog post on about the Bord Gáis breach earlier today.

Is this not the same as my question # 4? :-)

podgeen

Yes it is
Sorry I misread your question 4. Thats what I get for posting at 12:44am!

In relation to your comments on question 2, did you read the report on the Irish times? The Managing Director of Bord Gáis Energy, Dave Bunworth said that while the laptop was not encrypted it would be "very difficult to get into"

Dave

probe

podgeen wrote: »

Yes it is
Sorry I misread your question 4. Thats what I get for posting at 12:44am!

In relation to your comments on question 2, did you read the report on the Irish times? The Managing Director of Bord Gáis Energy, Dave Bunworth said that while the laptop was not encrypted it would be "very difficult to get into"

PR spin! BGE presumably had the Windows password enabled on this machine? Windoze security at its best

http://windowspasswordforgot.com

Capt'n Midnight

probe wrote:

The Managing Director of Bord Gáis Energy, Dave Bunworth said that while the laptop was not encrypted it would be "very difficult to get into"

PR spin! BGE presumably had the Windows password enabled on this machine? Windoze security at its best

http://windowspasswordforgot.com

First home.eunet.no/pnordahl/ntpasswd is the free open source windows password removal tool no need to buy a closed source that claims (well it would) to be not dodgy

almost any linux / BSD live CD will bypass NTFS security on un-encrypted windows files, hell even DOS 5 + NTFSDOS could do that 10 years ago ( files dated '92 ,'96 )