Personal data protection laws are springing up around the world. You’ve probably heard of the EU’s one. They have made organisations acutely aware of the need to protect any personal data placed in their care. Not to do so can result in massive fines. Under General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) can fine organisations up to 4% of global turnover for any given personal data breach. Quite apart from this, a breach can cause reputational damage and great harm to the individuals whose data is leaked, stolen or lost. They may well sue, which will only add to the expense, both reputational and financial.
While the computer industry has enabled sophisticated processing of personal data, it has also facilitated its loss. Corporate IT systems and networks have all manner of measures in place to minimise the risk of a data breach, but it’s a different story when data is physically on the move. How many times have you heard of mobile phones, laptops, USB sticks, portable hard drives or optical discs being mislaid or stolen?
Quite often, the data is readable, either straight away or with a minimum of effort by a suitably skilled and equipped individual. And it’s readable because, most of the time, it’s not encrypted. Some of the most horrendous cases have been patient records, many thousands of which could sit in a USB stick, for example. These usually contain sufficient personal information about an individual to facilitate convincing identity theft. A recent example is the special educational needs teacher who left a memory stick containing sensitive information about hundreds of children in a laptop in a Lincolnshire council office. On her return, it was gone. It was never recovered. The ICO fined the council £80,000, largely because the data was unencrypted.
Organisations of all kinds regularly move confidential documents around which would cause severe problems if they fell into the wrong hands. It might be financial, legal, trade secrets or intellectual property (IP), for example. Every organisation will know what’s sensitive and what’s not. When moving it physically between venues, it would make sense to encrypt it and keep the passcodes secret and/or separate from the encrypted device.
As ever with cyber security, the human is the weak point. They know logins and passwords and if they can be lured into sharing them, the criminal’s job is largely done. Everyone involved in sharing sensitive data needs to be aware of the risks they face and how to avoid them and organisations probably need to implement stricter conditions on who can access what data. When it comes to sensitive data, staff need to know either that specific data has to be encrypted or, to keep life simple, accept that all mobile storage be encrypted.
Verbatim offer a wide range of portable storage devices which are protected by the AES 256-bit encryption system which has never been cracked. The devices, be they HDDs, SSDs, USB drives or HDD enclosures are protected by keypads, fingerprint recognisers or conventional computer password entry. As long as the passwords (or fingers) cannot be accessed by the wrong people, the stored data is secure.