Hong Kong's Food and Environmental Hygiene Department (FEHD) is following up on a possible case of confidential data leakage involving a USB device which was lost on the public transport system.
An FEHD spokesperson was quoted as stating that their employees are required to report any loss of confidential data and that the department has guidance aimed to remind employees to avoid storing confidential and sensitive data in USB flash drives.
The Hong Kong Office of the Privacy Commissioner for Personal Data is again involved--less than 2 weeks after it released a report on a similar incident following the loss of a flash drive containing patients' personal data at United Christian Hospital.
Of course, the loss of storage devices such as this is not so much about the device itself but rather about the data it contains. It's pretty much impossible to stop people losing these devices as they relentlessly get smaller in size--as their storage capacity is increasing.
It's also becoming difficult to identify portable data-recording devices: iPods, mobile phones and digital cameras all contain mass-storage capability, creating a headache for organizations concerned with securing sensitive data. Standard storage devices are becoming smaller with new types of mass-storage appearing constantly-- today you can even buy a pen or wristband with a USB drive built-in.
So what's the answer?
Given the scale of the problem and the severe risk (and frequency) of data loss, an extreme alternative is to stop the use of USBs altogether. Military organizations and [some] government agencies have been known to glue shut all USB ports on their PCs, permanently sealing them. Extreme? Perhaps but it does protect the data stored on the main device even if it also deprives the user of a convenient storage medium.
But a couple of things struck me about this latest incident. It's 2009 after all, and this sort of data loss is becoming inexcusable. Even harder to excuse: the response to this latest incident.
According to the CWHK story, the FEHD spokesperson's comments said that "the department has guidance aimed to remind employees to avoid storing confidential and/or sensitive data in USB flash drives." When issued after the data has been lost on a bus, this statement is nebulous, to put it politely.
Let's be honest: if all that was needed was to "remind" staff not to do something, then organizations wouldn't need to make investments in information security, would they? Just send employees an e-mail every now-and-again and data remains secure. Of course, that "security model" didn't work here and it didn't work in the past either. At worst--as any security professional will tell you--it only acts as an often ignored advisory to employees and at best, only facilitates punitive action against a perpetrator after the event.
So telling people what not to do hasn't worked (again) and it should NOT be used now to absolve organizations from taking adequate steps to protect sensitive data. Any organization that has sensitive data must take rigorous and effective steps to protect it, else their sensitive data ends up on a public bus somewhere.
Secondly, and most damningly of all in cases such as this, all the technology required to prevent this type of breach is commercially available today and proven to work. If data is sensitive, steps could have been taken to prevent the use of USBs in the first place or, if their use is needed, adequate steps could have been taken to protect data.
The best way of achieving protection is through encryption. For computers, hard-disk encryption programs such as PGP Disk provide protection and USB drives are available with built-in encryption. At the very least, USBs should be protected with a password.
The IT industry talks about "de-perimeterization," but here's an example where perimeter defense technologies such as firewalls and IDS were bypassed by a cheap and simple storage device. This is why data leakage protection tools are popular in the industry at the moment. These tools can prevent the wrong sort of data being moved to devices like this.
What's infuriating with this latest breach and similar past incidents is the apathy with which they are accepted and communicated--as if the device loss couldn't have been anticipated, or somehow that it was sufficient to advise staff on what not to do, or that technology wasn't available to protect that data. Or is it just plain ignorance that this is a very common security incident and the rather pathetic surprise that now it has somehow happened to them.
If this were your personal data on that lost USB you wouldn't feel apathetic. You'd be angry, and rightly so, because when people lose storage devices with your sensitive data contained inside, the container doesn't matter because it's the data which is valuable at best, devastating at works.
So while we won't be able to make these devices harder to lose, organizations can, and must, take steps to protect the data that they contain. And if they don't (and remember: this is just the latest in a long line of similar incidents) then the Hong Kong government should introduce punitive measures that hurt the perpetrators financially. If policing devices is problematic, then let's put a padlock on organizations' wallets until they do feel compelled to protect other peoples' personal data.