Portable storage devices & data loss
The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:
- Assess the risks associated with using PSDs in your organisation.
- Introduce and actively communicate policies that set out how staff may use PSDs.
- Minimise the use of personal PSDs in the workplace.
- Introduce software or hardware controls (or both) to restrict use of PSDs.
- Actively monitor the use of PSDs for compliance with policies.
A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.
In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:
“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”
Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.
