In message <oajkpk$gfh$
1...@dont-email.me>, at 15:49:33 on Sat, 18 Mar
>On 18/03/2017 14:26, Roland Perry wrote:
>> In message <oajduk$p1j$
1...@dont-email.me>, at 13:52:46 on Sat, 18 Mar
>>> On 17/03/2017 21:13, Roland Perry wrote:
>>>>
https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/
>>>
>>> Very few lawyers have the resources to test the promises made by
>>> suppliers.
>>
>> Some could backup services are explicitly compliant with the "Safe
>> Harbour" rules (as were), which should be good enough certification for
>> most purposes.
>
>Only relevant if the data is being transferred outside the EU, and you
>are still reliant on the supplier actually doing what they say they do.
No, you are conflating two issues. The certification is about the data
being held to EU-required-standards, and as it's a cloud then you need
for EU-EU working, let alone third countries.
I wasn't going to raise it again [I'm still in mid flow on the same
topic in another thread, but have been preoccupied elsewhere recently]
but the husband's backup, if to a cloud, could easily have involved a
third country transfer without his knowledge (unless that was a feature
he had specifically purchased).
>Most promises of "military grade encryption" etc are pretty worthless.
Maybe they often are, but the cloud in question (IBM Connections Cloud)
says it has does have certification [without using silly generalities
that that], and I'm inclined to believe them.
Of course, it also has multiple access/login protocols for those "under
a bus" scenarios which trouble you so much.
Meanwhile, the second of promised solutions is a laptop with a
fingerprint scanner built in. Toshiba's implementation [which I've seen]
again has multiple prints for human resilience, and can log into
Windows, or Websites, on a fingerprint; and can also encrypt files to a
fingerprint. As you can export and save the fingerprint data, then it's
transferable to and from clouds and between machines, independent of the
Windows login password.
>I don't suppose the supplier who exposed the data to the internet
>mentioned that intention in its marketing blurb or policy statements.
I think they should be named and shamed too. It could be something as
daft as in the small print of Google Documents, if you don't set it up
non-default. I don't know (comments from others more familiar, welcome).
>>> Though special precautions are appropriate if the data is of a
>>> sensitive nature - it's not clear what exactly this was.
>>
>> The report is fairly explicit on that matter.
>
>It contained data relating to "vulnerable persons" but so does the
>phone book. If she was handling 250 child abuse cases, that's a
>different league to routine divorces that might mention the name and
>age of a child.
If the ICO says "six of the 15 documents contained confidential and
highly sensitive information", I'm inclined to believe them. The
implication is that each document had multiple persons' data.
>>> Disk encryption would not have prevented this issue, as the files
>>> appear to have been copied to the cloud from within the filesystem,
>>
>> Microsoft's Encrypting File System (EFS) should allow this, with very
>> little of the pain you mention later.
>
>Does EFS offer any advantages over Bitlocker (or the consumer-grade
>Device Encryption) in this respect?
It's on a file by file (or directory by directory) basis.
>I don't know about EFS, but Bitlocker is only protection against the
>bad guy without access to the user account - once logged in as the
>user, the files are accessible
The only better protection would be two-step (ie a second password) or
two-factor (such as password + fingerprint or Yubikey).
>and if moved or copied elsewhere to an unencrypted drive, they won't be
>encrypted. I imagine that's what the barrister's husband did.
There are apparently some tricks to uploading, such as wrapping the file
in another layer of encryption and uploading that. I've finally got
around to testing that (wrap, upload, download elsewhere, unwrap) and it
works. Obviously you still need to log into the original Windows user to
later see 'through' the EFS.
>>> though if the drive had been encrypted the . In most legal practice it
>>> is not practical to encrypt all files on a file-by-file basis. Access
>>> is too frequent, passwords could not be managed and files need to be
>>> shared, and accessible for supervisory and regulatory purposes.
>>
>> This wasn't a server, and if files need to be *sent* to someone else,
>> then encrypting that transfer of perhaps the plain text is another
>> fairly well solved problem.
>
>I agree as regards sending things, although a shockingly large amount
>of legal work still goes entirely unprotected, by email with
>unencrypted attachments.
Using Office document-passwords would be better than nothing. Another
which is less vulnerable to people snooping via third party mail
servers, and easy to use just like conventional email is to go back to
first principles and set up SMTP servers both ends, with direct
transmission. None of this is more complicated than learning how Excel
works.
Finally, a bit more fiddly than the last one, but much more secure, is
setting up an ss*h* server on the destination site and using ssh-ftp
(this is something I've had available when needed since 1999).
>But the legal regulators insist both that you must protect the
>confidentiality of data, and have it accessible if some disaster
>happens and a colleague takes over, or the regulator wants to take
>possession of it. Not easy to reconcile if you are a sole practitioner.
Welcome to the world of Data Controllers. Every self employed
professional, tradesman, micro company etc has to obey the DPA just like
the big boys. It's not an excuse to say "it's too difficult". See above
for some solutions, but lower tech "break the glass" (usually a sealed
envelope in the safe) is a probably adequate for mot smaller firms.
>>> I can't help feeling that this barrister was just unlucky.
>>
>> The way I read it, the files should never have been on a BYOD in the
>> first place.
>
>Where should they have been? I don't suppose most barristers have more
>than one PC.
That must be a bit inconvenient, having to secure it suitable for
transporting from chambers to home to court etc. Where best practice
would say it should be encrypted in transit anyway!
With a reasonable spec laptop costing less than half a day's fees for
a regular barrister, let alone a senior one, seems like a useful
investment to have two. Or in this day and age perhaps one laptop/
desktop plus a compatible tablet/keyboard combo for use in the field.
--
Roland Perry