The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on. Read More »
The device, lost by Shropshire Council in England, contained personal and health details of vulnerable members of the public, and of members of the council’s own staff who were working in the sensitive adult social care department. It was being sent by post from the council to a contractor in Cardiff.
The ICO said the loss breached the Data Protection Act, and the undertaking the council has signed requires education of staff on data security, and encryption of portable and mobile devices used to store and transmit personal data.
Last week’s episode of the British satirical comedy, The Thick of It, showed how the concept of a major public-sector data loss has become so mainstream that it can be the subject of an entire programme.
The story was based around the accidental wiping of a large volume of citizen data within a Government department, with no backup available, and follows the frantic efforts of the department to stop the news leaking to the press. Read More »
More UK companies and Government departments than ever are reporting data losses to the Information Commissioner’s Office, the UK data watchdog, according to recent data.
Reported incidents grew nearly 100% to 356 data losses in the period between November 2008 and September 2009, compared to 190 incidents between October 2007 and November 2008.
The most common type of loss was due to stolen hardware, usually laptops, with 127 such cases. Another 71 were due to lost hardware – usually USB flash drives – and 78 due to misaddressed discs or memory sticks.
It’s hard to say whether the number of losses has increased, or if organisations are simply reporting more losses than in previous years. But it’s reasonable to assume that many of these losses would not have caused problems if the data had been stored on a secure USB flash drive.
After being banned in November 2008, it looks likely that USB flash drives are about to be reintroduced to U.S. Defense Department computers and networks.
But there will be very strict controls on their use, to avoid future malware and security issues which caused the DoD to suspend the use of all USB memory sticks, removable storage devices and camera flash cards on all networks after a worm infection.
In a recent blog post, the CIO for the U.S. Navy, Robert Cary said Defense officials are finalising details of the new USB security policy. Cary said in his blog that the important thing is to ensure that thumb drives used in the future cannot transfer viruses to military computers and networks.
Policies will also include practice such as authorised staff being issued with government-owned and procured secure USB drives, a ban on all personally owned flash media, and upgrades to DoD antivirus and malware detection and procedures. These are all recommended, sensible controls to ensure network hygiene and reduced risks of data losses.
As part of the commitment, the council has agreed to ensure that portable and mobile devices, including laptops, USB flash drives etc are encrypted. Staff will also be trained and made aware of policies for storage and use of personal information.
It’s good to see that these measures are being taken over losses of personal data, even when the actual volume of lost data is small. Let’s hope that other countries take an equally firm stance on this issue.
The UK Government’s data protection watchdog has recently criticised another health organisation for two incidences of data loss in early 2008, one of which involved the loss of an unencrypted USB flash drive.
While this can seem negative, it’s an example of how attitudes to data security in the UK public sector are changing. As a result of the Government’s data watchdog’s vigilance and willingness of organisations that have suffered losses to change, the English National Health Service is one of the most advanced in successfully rolling out DLP systems, including mandatory hardware-encrypted USB drives.
An interesting point was that NHS Dumfries & Galloway didn’t just hand the secure drives to users: they held an amnesty so that staff could bring in old USB pen drives containing confidential information for orderly disposal.
The organisation arranged distribution days where they travelled to its various different office locations to give out the new drives. This helped to ensure that all staff knew about the amnesty, and had a chance to familiarise themselves with the organisation’s updated polices – an example of good practice for anyone planning a similar roll-out.
Wouldn’t it be great if we could just flick a switch, and all sensitive data would be fully secured against loss or theft? Unfortunately, it’s never that easy, as this article points out.
It looks at four recent, high-profile data losses from UK public sector organisations, and asks how many times do significant data losses have to occur before both private- and public-sector organisations deploy data encryption.
That’s a very good question. It’s also a reminder that if security is a race, it’s not a sprint, but a marathon. It’s a case of gradually extending security, to close the points of weakness and loopholes within organisations.
Solutions like our Cruzer Enterprise secure USB drives make it easy for organisations to secure data on the move, without adding complexity – making them a significant milestone in the long run towards total security.
NHS Dumfries & Galloway, one of the largest public health service providers in Scotland, UK, has selected SanDisk’s Cruzer Enterprise USB flash drives and CMC server software, to secure confidential patient information at both the company headquarters and in 50 field offices across Dumfries and Galloway in South West Scotland.
It has deployed over 1,100 Cruzer Enterprise USB flash drives with SanDisk CMC server software to protect transfers of otherwise unencrypted, personally identifiable information in electronic format.
With data loss and theft on the rise in government agencies in the UK, in 2008 NHS Dumfries & Galloway started an initiative to implement stringent policies for safely storing patient data on PCs, laptops, PDAs and other mobile devices, to proactively manage potential security problems before they happened.
It tested and benchmarked several solutions before selecting Cruzer Enterprise USB flash drives and CMC server software.
We’re currently working with several other healthcare organisations in the UK on similar projects – watch this space for further announcements.
This SanDisk Enterprise secure USB drive video illustrates a realistic scene in today’s business world.
The video presents the advantage of using secure USB drives in combination with a smart management system in case of a USB drive lose.
As 21% of the company workers have little to no awareness about the risks involved with transporting corporate data on flash drives (SanDisk’s Survey, 2007), we believe this video can increase the awarence of risks when using unsecured USB Flash Drive.
