The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).
The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.
As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers. For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.
In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):
- Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
- Limit the amount of personal information that is stored on PSDs;
- Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
- Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
- Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
- With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
- Stress to employees the need to use appropriate safeguards at all times, even when at home.
