ICO Raps Council Over USB Stick Loss, but Imposes No Fines

Bob Styran, IT audit expert
February 24, 2011 /

The Information Commissioner’s Office has once again sanctioned a council guilty of losing a USB stick which contained case notes and minutes of meetings about the aids for six adults.

Cambridgeshire council has violated data privacy laws when it compromised such information of vulnerable adults, and like the case of Stoke-on-Trent City Council that had lost in November last year the same device containing personal data of 40 children in care proceedings, the USB stick was unencrypted.

The loss of USB stick took place amid efforts of Cambridgeshire council to strengthen its encryption policy. Under the policy, employees were asked to surrender their unencrypted memory sticks.

Sally Anne Poole, enforcement group manager at the ICO, said the council needs to ensure that its policy is followed by every staff following the loss of the USB stick.

She said the staff responsible for the loss of the USB stick did not follow proper IT security measures.

The council reported the incident to the ICO in November 2010. However, the USB stick remains missing.

Cambridgeshire council has already signed an undertaking binding itself to ensure that all devices used by the staff are encrypted and to implement regular monitoring schedule to ensure strict compliance to the policies.

A spokesperson from the Cambridgeshire said it has since taken the “storage of data very seriously” and implemented the necessary steps to prevent the incident from happening again.

Poole said the ICO is glad that the Cambridgeshire County Council has decided to improve its security measures following the loss of USB stick.

 

1 Comment for “ICO Raps Council Over USB Stick Loss, but Imposes No Fines”

  1. This news once again stands as testament to the fact that current storage security solutions for removable storage are not adequate or do not fit the way that users and organisations need to operate in order to remain efficient and productive.

    Countermeasures such as complex endpoint security solutions that only allow specific USB devices or approved removable media to be used are extremely expensive and cumbersome, as well as impacting significantly on PC performance. The draconian approach of locking down all the PCs in the workplace to prevent the use of USB ports for any devices is similarly impractical, limiting productivity and preventing legitimate duplication of data for backup, testing, approved sharing and offline working.

    Here, it would have been better to use a combination of strong encryption with remote management and wiping so that end users are afforded an extra level of security and protection in the event they lose a device or have one stolen from them.

    Tom Colvin, CTO, Conseal Security

Share your opinion