A memory disk that was not secured with disk encryption software has been lost, affecting 200 disabled people living in the borough of Wigan. The Wigan Council has alerted the affected, and has declared a ban on using USB flashdrives.
Signed Undertaking, Previous Breach Less Than One Year Ago
This is the second breach in less than one year. Around April of last year, Wigan Council had announced the theft of a laptop computer that contained the information on 33,000 students. I had noted at the time that it didn’t seem like a big deal, but with reservations.
More appalling is the fact that the council had to sign an Undertaking with the UK Information Commissioner, promising to protect personal data, only three months ago, as a result of that first breach. The Information Commissioner gained the rights to fine agencies not too long ago. We’ll have to see what the ICO decides to do with this current situation.
USB Memory Stick Lost On The Train
While not confirmed yet, it is believed that the pen drive was lost on the train (it’s been confirmed only that it dropped out of an employee’s pockets). According to reports, one employee has been suspended, and another disciplined.
The information on the lost USB thumbdrive includes names, addresses, national insurance numbers, ethnicity, and types of disability. Financial information was not included.
The Wigan Council has announced that “it will extend its encryption programme and it has now banned the use of all memory sticks.”
I don’t know whether to applaud these people or…do something else. Extend their encryption [http://www.alertboot.com/disk_encryption/central_encryption_software_management.aspx ; managed data encryption ] program? To what? How? I would imagine that, after their first breach, the need for encryption throughout was quite obvious. Did the council only now realize that–gasp!–small electronic devices designed to store information can get lost or stolen as well, in addition to laptop computers?
If it’s determined that encryption software is required, it generally is required for any and all devices that may store sensitive data. There shouldn’t be a need to “extend” anything, although there may be a need for constant “maintenance”–getting encryption set up on any new purchases, for example.
Related Articles and Sites: