Our company encrypts all of our company laptops. If someone loses a laptop, and it was locked at the time, is this considered a data breach, do we need to report this to the ICO? WE are looking at preventing users from downloading information onto the C drive of the laptop to prevent a data loss, but wonder if an encrypted and locked laptop or phone would indeed be a reportable data breach.
In considering this it shines a light on what data an individual is storing onto the device and if, you as an organisation, permit this what policies you have in place.
It is worth having a look at the data flow in your working processes to discover whether anything needs to leave the systems they are in, and where you spot that this is happening to either redesign the system or nip the behaviour in the bud.
One example is where a marketing team may export data from a CRM (equivalent) to import it into EMS (e.g. Mailchimp) and retain a local copy. It might be worth weaning them off the separate system and using one which either has a direct API or an integrated platform.
If the data is unreadable then it is not a data breach – it is why encryption is such a good tool.
I would recommend you have good key management in place….and good password management. If the users password is easily cracked then you are wasting your time encrypting the data.
In this case I would not report this as a breach.
Great reason to buy Windows Business or Pro licenses, they come with BitLocker which will encrypt the hard drive and make it really quite difficult to access data stored there. Similarly InTune is a great tool for remote wiping if the laptop does get turned on by a thief. For larger organisations little data should be on the physical machine, but stored on cloud solutions (Azure, AWS), or on organisation’s file servers.
I’ve dealt with several incidents relating to missing devices – they almost always were found once employees had properly looked for them. It’s difficult to assess the risk to individuals because you don’t know what data was on the device, you can try and find a like for like for the purposes of comparison. For stolen devices I’ve considered the risk to the individual, and usually felt that due to the mitigations (encryption, strong password policies (actually enforced), use of file servers and/or cloud for data storage) the risk to individuals was low.
It is indeed an incident, and most likely an internal breach.
However, the threshold for an ICO notification is on the element of risk to the individuals whose data was on the laptop that was lost.
See what mitigations were in place (encryption is one), what steps you’ve taken immediately, and also what types of data would possibly be accessible through that laptop and how much.
Look at all that and answer the question: Does this loss create an actual risk to the rights and freedoms of the individual?
If yes, you must notify.
“[you must notify] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”
Of course, you will also document the event, etc. Breach or no breach, notification or no notification. that’ll help you spot patterns, should certain types of incidents have a tendency to happen in certain areas…