A staff member at Victoria House Children’s Centre in Barnstaple, UK breached protocol (and data security laws) when a USB flashdrive was stolen from her. Obviously, the use of drive encryption like AlertBoot would have prevented the breach from ever taking place.
Such technological solutions are always preferable over what Action for Children (AFC) — which runs the center — was using: guidelines.
“No Legitimate Reason”
According to an AFC spokesperson, the employee had “no legitimate reason for [having] that information.” Furthermore, it was revealed that the employee
…would have known she was in breach of strict company policy, and the Data Protection Act 2008, which states staff are banned from copying people’s sensitive personal data and taking it off the premises.
“We have very clear guidelines in place. She will have been under no illusion, given the nature of our work.” [thisisnorthdevno.co.uk]
Approximately 45 families were affected by the breach — about two percent of the center’s users.
Statistics are not Things That Happen to Other People
Action for Children has been very good at pointing fingers at the employee, and for good reason, too. But, in defense of the staff member, she wasn’t exactly planning on having her handbag stolen (the same handbag that contained the USB drive).
It can try to blame the employee all it wants, but it appears as if it has engaged in very weak security practices. I mean, where is the encryption software? Where is the computer port control? Do they have data leakage prevention software in place, in case employees email themselves sensitive data?
Guidelines and policies are important; however, the past five years (and then some) have shown that these are not enough from a data security standpoint. Employees are an integral part of a company, and they’ve got to do their part, but so does the rest of the company by instituting technological safeguards.
Just pointing to usage policies and guidelines when things go awry is the last bastion of those unprepared for a data breach.