The Sun newspaper has reported that a memory stick containing details of the stress test undertaken at Hartlepool following the Japanese Fukushima disaster in Japan last year has been lost on a visit to India. This raises fundamental issues over the security of memory sticks – not least of which is who is responsible for oversight in such cases. Critics claim that the Office for Nuclear Regulation (ONR), part of the Health and Safety Executive, is more a propaganda outlet than a genuine regulator; while the better-known Information Commissioner’s Office (ICO) is unlikely to be engaged because personal privacy is not involved.
Responsibility, with little external oversight, falls on the organizations concerned. Norman Shaw, the founder and managing director of ExactTrak, believes that this requires a fundamental change in our attitude towards encryption. Such incidents could easily be prevented, he told Infosecurity, by encrypting the master data. “The encryption program needs to be set up to check any USB device that is connected to see if it is encrypted. If it is an unencrypted USB drive then there is a forced encryption before any data is transferred.”
He also believes that a non-technical change of attitude would help. “The biggest cause of data loss is human error, not theft,” he said. But he doesn’t believe UK data protection laws are adequate – they “are big fluffy poodles compared to the German Rottweilers... you have to make the individual culpable and impose fines on them as well as the enterprise” for gross negligence or delayed reporting.
But since the human error and lack of encryption will probably continue, ExactTrak promotes the idea of remote data wiping and destruction for lost sticks. It produces a memory stick with its own battery and GPS capability. The result is that memory can be wiped remotely even if the stick is never connected to the internet or even inserted into a computer. The data can, said Shaw, “still be deleted even when lying under a night club table or back of a taxi.”