The Information Commissioner's Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man have jointly criticised a care provider after an unencrypted memory stick was lost last year.
Praxis Care, which has offices in Northern Ireland and the Isle of Man, breached both the UK Data Protection Act and the Isle of Man Data Protection Act when the stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the island in August 2011.
Some of the information was sensitive and related to individuals' care and mental health. The device has not been recovered. However, Praxis has informed all affected individuals about the loss and no complaints have been received by the regulators.
Christopher Graham, UK information commissioner, said: “Carrying people's personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.
“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”
Iain McDonald, Isle of Man data protection supervisor, said: “Today's joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents' personal information is protected.”
Marcus Ranum, CSO of Tenable Network Security, said: “The comment that ‘carrying people's personal information around on an unencrypted memory stick is clearly unacceptable' hits the nail on the head. It's pretty obvious that, if your sensitive data is walking around on USB sticks, there's a risk of it going astray.
“While it's encouraging to see that regulators are coming down on organisations that are sloppy with their data, CISOs need to start thinking about the root cause of data loss. If your USB stick is encrypted, it's OK, but why was the data on a USB stick in the first place?
“Instead, organisations with critical data need to rethink their approach to information management and look at how that data is accessed, where it is stored and why. Unless someone needs access to the entire patient or customer database, they shouldn't have permission to view it. Organisations need to start addressing how many people have access to critical information and reduce the exposure of data, or else this kind of breach will be an endless litany.”