The Canadian Office of the Information and Privacy Commissioner has finalized its investigation on the Edmonton Public School Board breach, nine months after the incident took place. If you’ll recall, a USB disk was lost. A number of the school’s IT policies had been broken, including the non-use of data encryption software.
More Information Revealed, Not Much Changed
I had covered the incident back in April 2011. It looks like there isn’t much more to report, although a number of details have been cleared up.
More than 7,600 employees of Edmonton Public School District were affected by the data breach. Of these, 2,826 had “considerable personal information, including social insurance numbers, banking information or both” in the lost USB disk. The remaining 4,836 had minimal information stored in the unsecured device.
The data included but was not limited to:
employment applications, resumes, transcripts, completed direct deposit forms (including cheques), copies of identity verification (i.e. driver’s licenses, first page of passports, birth certificates, etc.), injury forms, payroll correspondence, pension correspondence, benefits forms and correspondence, education credentials (i.e. certificate, degree, diploma etc.), job information history, pay-benefits history, performance evaluations, police criminal records check reports
In my previous post, I had also noted that no one knew how the information had been breached. In other words, a USB flashdisk was lost, but nobody knew when or how. That still remains the case. According to the findings, “an IT staff member pocketed it while at work but could not find it two hours later.”
The breach cost $46,000 to resolve, including “staff time, overtime, supplies, postage, and other miscellaneous expenses.”
It’s often said that USB devices that contain sensitive information should be encrypted. There’s something wrong with that wording. You see, it’s not that USB devices that contains sensitive data should be encrypted — that’s putting the horse before the carriage. Instead, sensitive data ought to be saved to encrypted devices. You might think it’s mere verbal judo, but it’s more than that.
You see, disk encryption takes some time to implement. What are the chances that someone will grab a USB disk, save sensitive data to it, and then go through the routine of deploying disk encryption on it? The answer is “nearly zero.” It won’t happen. The person will save the files to the flashdrive and call it a day, promising he won’t take the USB device out of the office, etc. Sooner or later: data breach.
Instead, data ought to be saved to USB disks that are already protected with encryption software. This, however, poses its own problems. If an encrypted USB disk cannot be found, what are the chances that a person will go looking around for one instead of just grabbing the unsecured USB disk lying two inches to the right from the mouse?
This leads to the only sane conclusion and best practice: assume that all USB disks used at an organization that deals with sensitive data will be used to store sensitive data at some point, meaning that all USB disks should be encrypted. It’s not that crazy. One company came to a similar conclusion regarding laptops the hard way.
Related Articles and Sites: