It doesn’t matter how good your technology systems are if you trust people to follow certain steps to keep data secure as a prison in England learned the hard way.
The best part of this story is that they “were reminded how to handle personal and sensitive information of patients and employees.” Unfortunately reminding people simply doesn’t work if you want to really make a change.
So what should they have done?
First of all, question the need for USB sticks in the first place. Why can’t the data be stored securely in the cloud and transferred on an encrypted channel?
And the data-at-rest on the USB keys could be encrypted with public/private keys. If the USB keys are lost, they would be of no use to anyone who found them.
When you run an organization of any size that requires the protection & care of any personal data, you have to assume that people will mess up. Empower them to do the right thing, give them the right tools, and make sure you have failsafe systems that prevent risky & costly disclosures.
- Ministry fine for prison data breach (bbc.co.uk)