The following e-mail will be sent on your behalf.

<your name> has sent the following story to you from ElectricNews.net.

The story is available from http://www.electricnews.net/article/10124252.html

Stolen laptops raise serious security issues
Tuesday, April 22 2008
by Matthew Clark


The Data Protection Commissioner is investigating Bank of
Ireland after learning that four of the bank's laptops, with
details of 10,000 customers, were stolen last year.

The computers belonged to Bank of Ireland (BOI) Life and were
stolen from staff members between June and October last year.
BOI reported the theft to the Data Protection Commissioner
and the financial regulator last Friday.



"The investigation will focus on the justification for the
personal data, including sensitive medical data in some
cases, being placed on the laptops in the first place, the
security arrangements in place and the exact circumstances
which led to the delay in the reporting of this matter
internally within the Bank of Ireland to the appropriate
personnel for the taking of further action," the Data
Protection Commissioner's Office said in a statement.



The information on the four BOI laptops contained the names,
addresses, financial details and some medial records of its
life assurance customers. BOI was criticised for the apparent
delay in reporting the laptop thefts, and for using passwords
instead of encryption techniques to protect the stored
information.



"Given the nature of the information that was stolen,
containing not just confidential financial details, but also
sensitive medical data, this is unacceptable and represents a
lamentable display by the bank," said the Labour Party's
financial spokesperson Joan Burton.



Since learning of the theft, BOI has initiated a full
internal investigation and started a programme to encrypt the
information stored on all 5,000 of its staff's laptops. 



"Encryption should be absolutely the minimum requirement in
this day and age. The banks are saying that they are going to
encrypt all their laptops, but the horse has already bolted.
Unfortunately people don't respond until something happens
and that's the way information security goes these days,"
said Colm Murphy technical director with information security
consultancy Espion.



BOI will also have to examine how it can secure other
portable devices such as mobile phones and PDAa, and it will
have to ask why staff need to carry information around with
them.



"Users should be reminded of the value of information.
Organisations now need to have a look at the serious issue of
data classification internally and have it flagged so when
you as a user access a certain kind of information, that
there is a pop-up or some message or some indication that
that information is protected under law," Murphy told ENN.



"Data must always stay in the datacentre, only be accessed
from secure devices and remain fully protected, so that
customers can trust that their information is safe," added
Chris Mayers Citrix chief security architect.





The bank has released some specifics about the information
contained on the stolen laptops. In a statement it said that
content relating to certain customers who obtained a quote or
took out a Life Assurance policy with Bank of Ireland Life
from the branches in Drogheda, Dunleer, Bagnelstown, Court
Place Carlow, Stephens Green, Tallaght and Montrose, was
contained on the laptops. 



The bank plans to write to affected customers over the next
few days and has said that anybody who is not a customer of
these branches is not affected by this incident. It has also
set up a helpline to handle any customer queries, through the
Bank of Ireland Life Option on 1850 365 365. This customer
helpline will be open from 9.00am to 6.00pm Monday to
Friday.



The theft of the Bank of Ireland's computers follows on the
loss of a laptop belonging to the Irish Blood Transfusion
Service with the personal details of 170,000 blood donors.
That computer was stolen when a staff member was mugged in
New York.



Bank of Ireland is not the first bank to lose sensitive
information. Earlier this month HSBC bank, in the UK,
revealed it had lost a disc containing details of 370,000 of
its customers. The data went missing after the bank used the
Royal Mail to transport the disc from its offices in
Southampton to Swiss Re.