When Unencrypted USB Keys Go Missing
Elections Ontario, the public agency responsible for conducting elections in the Canadian province of Ontario, recently lost two USB keys containing personal information on as many as four million electors—possibly the largest ever privacy breach in the province's history. Though the agency initially claimed the data on the keys was encrypted, as per their policy, it soon discovered that, in fact, they were not.
Perhaps most shocking, four days after they discovered that the keys were missing, the Elections Ontario employees resumed using unencrypted keys, much as they had been before, apparently because they had confused encryption with compression.
In a preliminary report, Ontario's information and privacy commissioner lambasted Elections Ontario for their failure to encrypt the USB keys and, moreover, for their "failure to build privacy into the routine information management practices of the agency. What is particularly discouraging was the discovery that the privacy and security of personal information was not part of any training programs that were offered to staff," she continued.
What are the lessons learned from this story?
The first is that it is not a question of if your organization will lose a laptop, portable hard drive, or USB key. The question is when. There is an incredible amount of personal information on these very small, very mobile, very easy-to-lose devices. This isn't the first time one of them was lost, and it won't be the last.
Second, we need to create policies that correctly address this risk. Namely, they need to mandate encryption—both of laptops and of personal data, wherever it is held.
Third, we need to verify that what's written in our policies is actually reflected in our day-to-day work. This was the critical problem at Elections Ontario. Good policies regarding encryption and data handling appear to have been written, but they weren't being followed.
Fourth, we need to make sure our policies are realistic. This includes not only making employees conform to the policy but also trying to ensure that, as much as possible, it conforms to our employees and the jobs we ask them to do.
When policies conflict with actually getting their work done, people will choose getting their work done over following a security policy every time. The reasoning behind this is simple—the consequences of not following a policy are abstract, distant, and uncertain, but if you don't get your work done, you can be very sure that you will soon be fired.
Finally, there needs to be institutional support for policies if we want to ensure that they're followed. It's not enough to merely order that something be done. If employees are to follow a policy, we need to provide the tools that let them do it.