A text transcription follows.
This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew Magee.
Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.
Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.
My name is Matthew Magee, and this week we look at some of the things companies can do to stop even lost laptops from spilling their corporate secrets to all and sundry.
But first, the news:
Copyright laws and media regulation to be reviewed
and
Right to silence doesn't cover encryption keys
Copyright laws and the way that media and telecoms services are regulated could be due for a change under a review the Government will conduct into the UK's digital economy. Ex-chief executive of Ofcom Stephen Carter will conduct the review.
The review will result in a plan whose aim will be to improve levels of investment in and the quality of the digital media and communications industry in the UK, the Government said. Carter was recently made Lord Carter and made Minister for Communications, Technology and Broadcasting.
Copyright laws and media and telecoms regulation will form part of the review, the Government said.
Two men have been told that they cannot rely on their right to silence to refuse to give British police a computer password.
The men had claimed that forcing them to hand over the key to encrypted data on their computers would be forcing them to incriminate themselves. Defendants have a right to silence and to refuse to divulge information which would act as evidence against them.
The Court of Appeal has said that an encryption password is not in itself incriminating information and that both it and the information on the computers exist outside of and independent of the men. It said they do not have the right to refuse to divulge the keys.
That was this week's OUT-LAW News.
Data breaches no longer truly shock. Barely a week goes by without some major organisation with whom people have trusted personal information reporting the loss of that information in one way or another.
Hackers break into wireless networks, discs go missing in the post and people leave laptops behind on trains or in late night taxis. The news has been peppered with such incidents for an unbroken year, and we are largely used to it: as a public, probably more hurt than angry.
But perhaps what still has the capacity to shock are incidents in which a lost laptop, USB memory stick or disc was not encrypted.
Technology has long, long been available to make information on a machine near-impossible to read without decryption keys. Surely we think every major organisation that holds personal information employs it?
Well here's a shock: in a Government study published earlier this year it was discovered that just eight per cent of UK companies encrypt or password protect their hard drives. It found that of those who had laptops stolen, seventy eight per cent had unencrypted hard drives.
So, for all you encryption refuse-niks out there, OUT-LAW is today providing a bit of a public service. We're going to look at a couple of technologies that could help you to protect the information that you have.
As we'll hear, this isn't just about the privacy of people whose information you've collected. It's also about protecting information that is incredibly valuable to your business – sales figures, share price data, even intellectual property.
The good news from the world of computer encryption is that that eight per cent figure might be on the rise. Nick Lowe is head of northern Europe for Checkpoint, one of the companies you would go to if you wanted your computers encrypted. He says that ever since HM Revenue and Customs lost 25 million people's personal information, enquiries have rocketed.
Lowe: Our enquiries are up significantly since the HMRC and the other ones we've seen. I think things like the HMRC incident brought the awareness of what we are talking about to the average person. What HMRC has done is it has made the user aware of their own actions.
So what does encryption actually do? Lowe explains.
Lowe: It does two things, it encrypts the hard drive that’s on the machine itself whether it be a laptop or a PC at the desk, but it also encrypts the data that can be found on, say, a phone or USB stick or some removable media.
The problem of data loss is growing more serious as databases of personal information grow ever larger. More organisations know more about us than ever. If one of those databases is compromised then the consequences are extremely serious.
It used to be that organisations thought that organisations thought that their security policy should be focused on telling people how to be safe, that that would be enough. No more, says Lowe.
Lowe: We have seen over the last year especially more and more breaches from Government organisations and commercial organisations. Usually when you get into the debrief of those situations it is human error that gets in the way. As we move forward we’ve got to take more away from educating the user, because these things are incredibly complicated and as I said earlier the user quite often doesn’t even know the implications of their own actions. So we are kind of moving towards an environment where the policy of the company needs to protect that data and it is out of the hands of the user.
But lost machines are not the only source of information leaks. With fast internet connections to virtually every desk, with email, web access, instant messaging, web telephones and all manner of communications options available to almost every deskbound worker, how on earth is a company meant to keep a hold of its precious data.
There, too, companies are moving away from a process of educating and trusting users and more towards compulsory technological fixes.
It used to be that companies such as Clearswift specialised in keeping data out of organisations. Now it works at keeping it in.
The company started off making software to keep viruses, spam and other digital nasties away from office computers. Then it began using similar technology to stop valuable information from going the other way.
Clearswift's software now scans a list of documents a company designates as sensitive and keeps an eye on every piece of outgoing communication - from instant messages to blog posts to emails - to ensure that not even the smallest snippet escapes. Alan Hockey, director of product management at Clearswift explains.
Hockey: Someone in HR or someone in legal or someone in the finance department, they can tell the ContentSafe server which files that they have access to are sensitive files and what the ContentSafe server will do is it will take a digital representation of the word and phrases within that particular document or series of documents. So if someone in the organisation tries to send out either the whole document or a random part of that document we would be able to identify down to just a random sentence out of that document and be able to control it as to the company’s policy.
Hockey admitted that technology such as Clearswift's is designed to prevent the accidental leakage of information rather than to put the brakes on a determined leaker.
Personal data is one massive area to be nervous about, but there are others. Hockey said that there are all kinds of information a company will want to make sure doesn't leave the building.
Hockey: Anything that they have inside their organisation in terms of trade secrets, processes, secret formulas. You could be a pharmaceutical company with a new drug. You may want to patent it. You obviously need to keep all information regarding that drug under control before your patent is granted. So pretty much every organisation has got something of value that they really don't want to lose. It could be a source code it could be a number of different things.
The implications for companies of precious information going missing can be enormous. Technology lawyer Louise Fullwood of Pinsent Masons, the law firm behind OUT-LAW, says that companies are growing increasingly sensitive, and vulnerable, to leaked information.
Fullwood: Well of course any companies which are publicly listed are subject to very strict criteria on price sensitive information. In the current environment what some of our clients are seeing is that employees are leaking sometimes maliciously, sometimes innocently just through gossip, information in this sort of area and that's having an effect on the share prices and that's often causing the companies to be devalued or to have problems getting finance or for their reputation to be adversely affected. And of course the other side is that in the current environment some companies are making employees redundant, there could be instability, there could be cuts in pay or cuts in bonuses, and that leads to a situation where you have employees with an axe to grind who feel a bit disgruntled and some of them are in a way getting their own back by leaking damaging information.
The use of all kinds of information security is on the rise. Hockey says that legislation and large company standards are pushing adoption, while Lowe says that adoption filters down even into smaller firms.
Hockey: There is a lot more onus being placed upon organisations who deal with things like financial information and credit cards to ensure that they are not being disseminated to places that they shouldn’t and companies are just making sure that they are belt and braces protected to ensure that people aren’t doing it deliberately.
Lowe: But actually we are saying it’s filtering right the way down. If you happen to be a company that is in the supply chain of a large automotive or a large manufacturer for instance and you happen to be part of their electronic supply chain, clearly you are going to having access to information that is sensitive. It could be copyrighted and certainly could be deemed to be the intellectual property of your customer and consequently you also as a company have a responsibility to ensure that that information doesn’t end up in the hands where it shouldn’t because you probably wouldn’t fit in the supply chain much longer if you were the leaking party.
Reports still emerge of organisations losing unencrypted machines, but if that filter-down process truly works, perhaps next year's Government report will reveal a welcome increase in that extraordinary figure of eight per cent.
That's all we have time for this week, thanks for listening.
Why not get in touch with OUT-LAW Radio? Do you know of a technology law story? We'd love to hear from you on radio@out-law.com. Make sure you tune in next week; for now, goodbye.