A care provider with offices in the Isle of Man and Northern Ireland has committed to improving its data protection standards after losing a memory stick containing unencrypted patient data. The charity, Praxis Care, lost the memory stick in August 2011. The device held personal information relating to 107 Isle of Man residents …
There are plenty of solutions out there ffs. How about only allowing devices with a pin lock like the Corsair 2..
I know technically it's crackable, but not many people know how and most people wouldn't bother. If you had the nous to break into one you are probably able to steal the data direct.
"Never trust a charity" is a rule to live by.
(goes double if it was created by a celebrity or as part of a "Big Society" scheme)
Christopher Graham, the information commissioner, said: "Carrying people's personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.
God help anybody who carries a paper file about in the real world and leaves it on a train. Its about education not technology!
> God help anybody who carries a paper file about in the real world and leaves it on a train. Its about education not technology!
Got there before me. Why is carrying around people's data, encrypted or not, acceptable in the first place? If it was on a block of paper, someone might be talking to the police instead. Which is why that doesn't happen (anymore).
When the Irish Gas board comes to my door asking for my business I ask them why they were carrying bank details around on their laptops.
And they were no doubt
Taught all their information security skill by the HNS before being wooed by the better pay in the private sector
It's striking how many non-technical users are addicted to removable media. Their tiny brains believe data is safer when it's stored on something they can see and hold (and lose). I once worked with a department that copied all its documents on to floppy disks and locked them in a filing cabinet - so much safer than a Vax disk in a secure machine room that was backed-up every night.
The answer is to make all removable drives (including USB ports) on desktop workstations read-only. People who want to copy sensitive information would then have to explain exactly why they need to carry it around with them. Of course, that won't stop them sending it by email.
Charity for Charities
Given the average charity (i.e. not the Red Cross, et al), can't afford a large IT department with Data Protection and IT security experts, it does raise the question as to whether the ICO should be funded to run education and consultancy courses for small charities on Data Protection and security?
In a former role looking after a local authority housing system, I ended up having to book out time to meet with the local housing charities and explain to them fundementals of the DPA98, such as it also applies to paper files (which a number of the local charities thought wasn't the case)
In this case I would suggest a small amount of government expenditure on education would pay back dividends in improved data protection, and less enforcement and investigation costs.
End Point Control??
I cant see how this is still happening within these industries, I worked for the local council and we implemented Safe End which restricted any USB devices. In order to use a USB key it would have to be formatted and a secure client installed on it prior to data being written, the reason for using client based encryption was that we could still recover the data if the person lost the password unlike a hardware encrypted device and when connected to the network it could be authenticated against any user.