As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner (OIPC) shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.
In June of 2015, someone at Eastern Health, the provincial health authority for Newfoundland and Labrador, lost a non-encrypted flash drive containing the names, Social Insurance Numbers, and identification numbers of some 9,000 Eastern Health employees. Luckily for Eastern Health, and its employees, the missing flash drive was ultimately found in a file folder and recovered. Even so, under section 15 of Newfoundland and Labrador’s Personal Health Information Act, Eastern Health was required to notify OIPC of the loss, and OIPC was entitled to review and make recommendations on Eastern Health’s data security practices.
OIPIC didn’t bring charges though – not just because the drive was found, but because it was satisfied that Eastern Health had taken steps to make sure that in the future, if another drive was lost, the user data would remain secure and inaccessible.
Lessons for organizations that collect user information
Any organization that handles user information can learn from Eastern Health’s experience. Based on what OIPC has said, here are six tangible steps your organization can take to protect user data in the event of a breach:
- Don’t use Social Insurance Numbers as employee IDs. Generate a unique number that’s not used outside your organization.
- Require your employees to verify their identify in order to access user information. Don’t just rely on passwords, which could be compromised – use security questions that only the employee would be able to answer.
- If there are non-encrypted USB drives floating around your organization, make sure that they’re returned and destroyed.
- Consider upgrading your organization’s antivirus platform so that any non-encrypted USB drives will automatically become encrypted.
- Make sure all other mobile devices that your organization has already issued are locked down or encrypted.
- Have a forward-looking policy on how your organization issues, controls, and uses mobile devices.
The takeaway? Data security doesn’t just mean building walls against unauthorized intruders; it’s just as important to think about how you’ll protect the user data your organization collects if the device that holds it falls into the wrong hands. Protect it properly, and you may limit your liability down the road.