According to Canadian media, the Investment Industry Regulatory Organization of Canada (IIROC) has lost a "portable device" that contained information on over 50,000 people. The IIROC has not been very responsive regarding the details, including whether the device was protected with a mobile data management software like AlertBoot. However, we know this much: they're "very sorry."
According to theglobeandmail.com, among other media outlets, the IIROC has blamed itself for the "unfortunate but isolated incident" and has promised to strengthen their internal controls so that the situation does not present itself in the future.The regulator's spokeswoman noted that the IIROC does not want to make public details about the case (and make things worse):"We are concerned that disclosing details of the incident may put clients' information at greater risk of being targeted for unauthorized use," she said. "We have communicated with all affected firms and are notifying their clients whose information was on the device."Maybe it's just me, but this does not sound like the words of a confident organization that knows their data is secure, despite not exactly knowing its current whereabouts. Could this be indicative of a situation where this lost device has not been encrypted?This would not be the first (or last) time that something like this has happened. The loss of USB drives and external hard drives have accounted for hundreds of public data breaches around the world. You can bet that many more go unreported.The combination of "extremely portable" and "high capacity," compounded with people's inability to delete data – it's always easier to keep it around if you've got lots of storage space left, which is why my web-browser bookmarks point to YouTube clips that don't exist anymore – creates a potent and poisonous mix that will lead to a data breach, sooner or later.
"We are concerned that disclosing details of the incident may put clients' information at greater risk of being targeted for unauthorized use," she said. "We have communicated with all affected firms and are notifying their clients whose information was on the device."
The best way to ensure that a portable device doesn't turn into a data breach is to not use one. Now, you might think this is easier said than done, but it isn't, in a way. There are companies out there in the world where they prevent the use of USB flash drives and such by taking a penny and gluing it to USB ports (my guess is that they're big into Bluetooth keyboards and mice).Most companies, however, will benefit from the use of their USB ports. But, keeping them open and accessible also means that an employee could use their own USB sticks to copy data. What to do? At AlertBoot, we recommend controlling where the USB device can be used, and making sure that it's encrypted.First, the use of encryption software will ensure that there is no unauthorized access when and if the device goes missing. Second, you can control where and how the device can be used by ensuring it doesn't work on unauthorized computers. Under the AlertBoot solution for full disk encryption, a USB storage device can only be shared with computers that are part of a trusted group.So, for example, a USB device will work among computers lined at the front of the room, but not with those at the back of the same room (the device would show as unformatted thanks to encryption). It's just a matter of how you group the computers: by department, by team, by floor, etc.