Laptop loss – where’s the accountability?

From the Irish Independent:

STAFF at the State spending watchdog who failed to inform authorities that laptops stolen from them contained sensitive information about up to 400,000 people are to escape disciplinary action.

The Office of the Comptroller and Auditor General (OCAG) last night confirmed the staff will not face any sanction despite not displaying the “common sense” to report the nature of the material contained on three laptops stolen over the past three years.

OCAG admitted the unencrypted laptops — among 16 stolen from their officials since 1999 — contained highly sensitive information, including PPS numbers, bank account details and social welfare payment details.

While the staff involved reported the theft of the laptops to their superiors and the gardai, the extent on the information contained in them was not reported and only became apparent in recent weeks when OCAG conducted a review.

An OCAG spokesman described the massive oversight as “a procedural flaw” and said no disciplinary action would be taken as there had been no procedures in place at the time for the reporting of the theft of sensitive information.

The OCAG appears to be suggesting that the only mistakes made were those of the individual staff who failed to report the nature of the information which had been stolen. But those mistakes – serious as they were – are just the tip of the iceberg. Who was responsible for the failure to encrypt these laptops? Who was responsible for the decision to transfer entire databases to vulnerable devices? And who was responsible for deciding to copy entire databases without first anonymising the identities and bank details of the social welfare recipients? Those individuals should also be held to account.