The loss of a USB flash drive containing sensitive data has landed another public sector organisation with a reprimand from the Information Commissioner’s Office (ICO) for mislaying unsecured storage.
The offender this time was Rochdale Metropolitan Borough Council which in May of this year lost a single USB stick containing the personal details of over 18,000 residents, including names, addresses, and details of payments.
The data had been stored in unencrypted form on the drive for accounting purposes. The device has not been recovered.
The Council had no policy in place to ensure that employee USB sticks were encrypted, the ICO noted, and staff lacked training on data protection.
“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place,” said the ICO’s acting head of enforcement, Sally Anne Poole.
Despite the fact that the ICO accepted that much of the data lost in this incident was already available in the public domain, the Council has undertaken to provide staff with encrypted sticks, a policy that will be extended to other devices including laptops.
In a sense, the Council has been able to learn a data breach lesson without the usually serious consequences that normally accompany such losses. More often, public sector breaches are laced with the potential for trouble.
Only a few weeks ago, Surrey and Sussex Healthcare NHS Trust admitted it had lost an unencrypted USB stick containing patient data, which echoed another smaller incident where University Hospital of South Manchester NHS Foundation Trust lost one of its sticks. Earlier this year Leicester City Council was rebuked for losing a stick containing access codes for social housing.
USB sticks are obviously popular in many public sector organisations, a surprising number of which still don’t appear to enforce encryption until after the ICO has to be informed of a loss.