Browsing articles tagged with " USB"

Federal Department Bans Use of Portable Devices (YAFF)

Jan 22, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  4 Comments

portable hard drive

I thought I had blogged about this Canadian data breach, but I guess not.  All these data breaches are coming so fast it’s hard to keep up. In this report, we have another YAFF: a portable hard drive being used as a backup device.

It looks like Human Resources and Skills Development Canada (HRSDC) will be taking a three-pronged approach to protecting our data: first, a new policy banning portable storage devices; second, use of data loss protection technologies and third, establishing consequences for staff that cause a data breach.

OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.

Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.

via Federal department bans use of portable devices after personal data breach | canada.com.

Their loss of more than half a million student loan borrowers’ data has led to class action lawsuits.  A missing external hard drive is the hardware piece of this breach; the fact that this drive contained unencrypted backups is the behavioural issue.  Perhaps we need to start thinking about how to train end users on the consequences of moving data from “the system” to any place else, even for backup purposes.

Is there a solution?

I have more questions than solutions here, though.  Usually enterprise backup solutions involve software plus a server or external service.  I’m not sure why HRSDC was using a portable hard drive for backup.  They are harder to manage, they tend to walk away, and they aren’t that reliable.  So I’m going to guess here that this device was a personal device or being used to sneakernet files from one location to another.  Perhaps from office to home, or from office to office.  Both of those scenarios bother me because they most likely were not official methods for doing these tasks. 

I don’t think there’s one answer.  Training, policy, inspections, consequences, real monitoring and protection, more training, more inspections, some tough decisions.  It’s a complex issue that will require complex responses.  I’d like to hear what other organizations are doing to mitigate data breaches.

B.C. Health Ministry Data Breach Affects Millions

Jan 16, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  1 Comment

USBBottleOpener - Karen Lopez

News about yet another health data breach comes, with millions affected.  The largest breach of about 5 million people involves yet again, a USB drive.

I could see why a CIO would want to order the disabling of all USB ports on corporate computers. Then will someone is going to come up with a “USB Drives Don’t Breach Data, People Do” solution?

I’m still wondering why the tech community can’t come up with a solution to this ongoing attack on people’s data.   In these cases, is it that the employees just didn’t care about the people? Were they feeling pressure to just get the job done?  Did they not know that sensitive data was on these devices?  Perhaps they were just sharing one of their USB bottle openers like the ones I collect?

– June 2012: The health data of about 38,000 individuals was shared with a researcher. The data was linked to Statistics Canada community health survey information. The disclosure of the information breached an agreement with the federal government.

– June 2012: A USB stick which contained a plain text file of 19 types of health data was provided to an authorized ministry contractor. The file included personal health numbers and health conditions – such as Alzheimers – for about five million individuals over several years. Against policy the data that was neither encrypted or made non identifiable.

– October 2010: Health Ministry data containing the personal health numbers of about 21,000 people – with diagnostic information for about 262 chronic diseases conditions – was shared on a USB stick with a researcher without a request being approved.

via B.C. Health Ministry data breach affects millions – 38,000 will receive letters – Local – Times Colonist.

Disabling USB ports seems like the wrong approach.  Right now I’m leaning towards criminal prosecution of people who are careless with our data.

Love your data.  Because it’s really our data.

Subscribe via E-mail

Use the link below to receive posts via e-mail. Unsubscribe at any time. Subscribe to www.datamodel.com by Email


Recent Comments

Categories

Archive

UA-52726617-1