After violating the Data Protection Acts of both the U.K. and the Isle of Man, care provider Praxis Care Limited this week expressed a new-found commitment to improving its data protection practices.
According to the U.K.'s Information Commissioner's Office (ICO), Praxis failed to adequately protect patient data when it was revealed that the caregiver had lost an unencrypted memory stick containing information on more than 150 Isle of Man and Northern Ireland residents. The device has not yet been recovered and is said to contain information relating to people's mental health.
"Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable," U.K. information commissioner Christopher Graham said in a statement. "The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning."
However, following a joint ruling by the ICO and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man, Praxis agreed that it would improve its data security efforts and ensure that all portable devices that store personal information are encrypted. According to the ICO, Praxis will also properly dispose of any personal information that is no longer needed.
"Today's joint action aims to send a clear message to organizations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO," said Iain McDonald, Isle of Man data protection supervisor. "We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected."
Technology news provider eWeek recently highlighted a number of steps businesses and individuals can take to ensure their portable storage devices – USB drives in particular – are protected against common threats.
At the top of the list is the implementation of device-level management software, which enables users to track which devices are being connected to the network and by whom. Such practices can ensure that sensitive data is not being transferred to USB drives and shared with unauthorized users, eWeek noted.
Other practices identified in the report include blocking unauthorized devices, distributing company-approved drives and providing data security training to employees and executives that may handle such devices.
One suggestion that may have helped Praxis avoid its current situation is the development of an encrypted USB plan. This proactive measure provides a level of security that ensures only authorized USB drives can access certain data even if the storage device is lost. It will also establishes a plan of action should a device go missing.
"Not all data breaches are the result of a malicious attacker breaking into the network," eWeek's Fahmida Rashid wrote. "Ex-employees can download sensitive documents to a personal USB drive and take it to their new employer. Backup drives containing sensitive data can get lost or stolen. Employees trying to be productive by taking work home can misplace their flash drives. All these potential scenarios expose the organization to data loss and regulatory fines."
A recent study from the Ponemon Institute revealed that the cost of a data breach is constantly increasing. According to the report, the average data breach totaled $6.6 million in 2008 and $6.7 million in 2009, despite a drop in the total number of incidents reported.
Beyond the monetary loss, businesses must be conscious of the reputational damage that can result from a data breach as well. If an organization demonstrates unsound data security practices, individuals and other companies will be less likely to do business with it, which can affect everything from the bottom line to employee morale.
Security News from SimplySecurity.com by Trend Micro