We have posted about this a little earlier this year, but it’s worth mentioning again that the UK Information Commissioner’s Office, which is the data watchdog for the UK Government, continues to take tough measures with public sector organisations that have suffered data breaches.

Most recently, a UK healthcare organisation misplaced 3 unsecured USB flash drives with confidential patient details, and has signed an undertaking confirming that the Trust will take a number of steps to ensure personal data is kept securely.
 
The Assistant Commissioner at the ICO said: “I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices. In this case, our investigation found that there was a lack of understanding and awareness among staff of their responsibilities under the Data Protection Act.”

This is good practice, and a good argument for deploying secure USB flash drives.

The UK Ministry of Defence’s latest resource accounts (PDF at link) show that the department suffered eight serious data breaches from 2008 to 2009, compared with just two in the preceding year.

The biggest incident was the loss of a portable hard disk from a contractor’s premises, which contained the names, passport information and bank account details of an estimated 1.7 million service personnel.

Others included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and details of family members. 

As with the data loss incidents involving HSBC we mentioned recently, the Ministry says it has launched a campaign to educate staff about the importance of data security, together with training courses on protecting information.  These are good signs.  But training alone isn’t enough – security demands a mix of policies and solutions in order to be effective.  There is still some way to go before we reach the target of true security for all personal data.

The UK Government is making giant strides in tightening up data security, and in public disclosure of security breaches, following the high-profile losses from public bodies over the past 18 months. 

The issue is being policed strongly.  This week, the Government’s Information Commissioner issued further warnings to a number of National Health Service bodies about the importance of protecting data, with instructions for them to adhere to the UK Data Protection Act.

Five healthcare bodies were found to have breached regulations, ranging from stolen laptops, lost CDs and lost USB flash drives.  All were unencrypted and all contained potentially sensitive patient data.

It’s good news that data protection and corporate governance is being enforced at this level.  With the right combination of policies and products, everyone’s data can be kept a little safer.

We often see newsflashes telling us about the latest data breach, caused by a lost thumb drive or stolen laptop.  But what happens after the initial loss?  What are the ramifications and the fall-out?

This article shows what happened after a loss of very sensitive data in August 2008, when an employee of IT contractor PA Consulting lost a USB flash drive with the details of all the UK’s 84,000 prisoners.

The contractor was working for the UK Government’s Home Office and human error led to the stick and the unencrypted data being misplaced.  The employee immediately told supervisors, who then told the UK Ministry of Justice (MoJ) and the Home Office.  Although police were brought in to search the offices and the employee’s home and car for the missing memory stick, it was never found.

The unhappy result was, the contractor lost its contract, and the employee’s and line managers’ jobs were lost too.  Home Office staff are now advised not to use flash drives.  All for a single data loss. 

The fact is, it’s impossible to stop devices getting lost or stolen.  But the risk can be mitigated – and the extensive, unpleasant fall-out stopped – by enforcing encryption on these devices.

Have you ever looked at all the data breaches that have occurred in the past 18 months, and thought “that couldn’t happen to me”?  The truth is, it can happen to anyone, and at more or less any time.

All it takes is a moment’s inattention to lose a thumb drive or disk.  And if the data on that device is not protected in any way, congratulations:  it’s your own data breach. 

To highlight that it can indeed happen to anyone, this article on Enrique Salem, president and CEO of security giant Symantec is revealing.  In it, he admits that he has personally lost a USB flash drive containing confidential information.

He also points out that certain data security features need to be automated – such as mandatory encryption, alerts to administrators in the event of protected data being accessed, and more.  This security best practice helps to ensure confidential data stays confidential. 

So if you’ve ever lost a flash drive in the past, don’t worry:  it can even happen to CEOs of security companies.  But if you think it cannot happen to you, you might want to think again.