Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

5 May 2009

Many government departments risk accidentally disclosing sensitive personal information because of poor controls on staff use of 'portable storage devices' (PSDs) such as USB memory sticks, Privacy Commissioner Marie Shroff says.

A survey of the 42 main government agencies, undertaken by the Office of the Privacy Commissioner recently, shows PSDs are widely used but that there are real gaps in security procedures and practices.

Thirty-five out of the 37 agencies (95%) that responded to the survey made PSDs available to staff - most commonly USB sticks. Nearly two-thirds of agencies also allowed staff to use their own personal PSDs for work purposes.

Just nine agencies made PSD encryption mandatory, while 43 percent did not provide encryption solutions of any sort. Sixty-two percent kept a PSD register but only 22 percent said they would be able to track transfers of data to PSDs.

"PSDs are small, lightweight and easy to use, and can store vast amounts of information, but are easily misplaced or stolen," Marie Shroff says.

The use of PSDs in the workplace - both public and private sector - presents potential security risks, particularly if the devices contain unsecured or sensitive data.

"We are particularly concerned about the use of personal PSDs in the workplace because it is so easy to lose one, or to accidentally disclose sensitive information by, for example, lending a USB stick to a friend."

"If you are using your own personal PSD for work, then you are more likely to accidentally take that corporate information with you when you change jobs. Government agencies have a responsibility to try and prevent that sort of thing," Marie Shroff says.

Although the survey found that 75 percent of the government agencies responded reported they had policies to restrict or control the use of PSDs, we are not yet confident that those policies are of a good standard or are well-known by staff.

  • Only half of the policies included details about how to delete content.
  • Only 25 percent of agencies performed an audit to ensure PSD procedures were followed.
  • Seventy percent had procedures to report the loss or theft of a corporate PSD, but only 27 percent for personal PSDs used for work.
  • Availability and use of security tools such as encryption, tracking of data transfers, or hardware and software controls was patchy or lacking.

"Agencies that primarily hold classified or sensitive information have significantly tighter controls over the use of PSDs than those that hold the largest amounts of personal information," Marie Shroff says.

"It is particularly concerning that some of the agencies with poorer practices are flagship departments that hold the personal details of thousands of ordinary New Zealanders."

"It appears that personal information is not being treated with the same care and respect as 'classified' or 'sensitive' information".

"On the positive side, some agencies have recognised they have weak controls on the use of PSDs and are taking steps to introduce tighter controls. We are briefing departments on the results and I hope that spurs them to lift their game," she says.

"Private sector businesses were not included in this survey, but there are clear messages from this that apply across the board.

"We have seen the overseas incidents of how easily PSDs containing large amounts of sensitive information are lost or mislaid. We want to avoid similar events affecting New Zealanders. We want to get it right before we get it wrong."


________________________________________________________________

Tips for organisations on the safe use of PSDs

  • Have a formal policy on PSD use that is actively and effectively communicated to staff.
  • Staff should be made aware the need to report the loss or theft of a PSD, and know the procedures for doing so.
  • Clearly explain to users how and when to delete data from PSDs.
  • Encryption should be used for all PSDs that are likely to store personal information.
  • Agencies should monitor and audit use of PSDs.
  • Strict limits on the use of personal PSDs should be enforced, in combination with providing suitable corporately-owned PSDs.

___________________________________________________________________

Background

PSDs include USB sticks, cell phones, BlackBerries, IPhones, iPods, MP3 players, PDAs (personal digital assistants) and netbooks. They are used for a variety of purposes, including to take work home or information to meetings, as temporary file storage or back-up, or to transfer, sometimes sensitive, bulk data between organisations.

Hardware controls may include physically disconnecting, removing or sealing off ports. Software or program controls identify when a PSD device has been connected into a computer or network and restrict or limit use of the device.

The survey is the first of its kind undertaken in New Zealand, and was carried out to find out the sort of precautions government agencies are taking to secure New Zealanders' data. It was largely based on a similar survey undertaken by the Victorian Privacy Commissioner, which was released in January. See www.privacy.vic.gov.au and the link 'Use of Portable Storage Devices'. The Australian Federal Privacy Commissioner has also completed a survey on PSDs. The results will be launched on 8 May. See www.privacy.gov.au

Overseas examples of how easily personal information can be lost:

  • 100 USB sticks, some containing secret information, have been lost or stolen from the UK Ministry of Defence since 2004.
  • In December 2008, a USB stick containing details of over 6,000 prisoners was lost by a health agency at a UK prison.
  • Details of almost 900 customers, including accounts, phone numbers and addresses, copied on a USB stick was lost by a Bank of Ireland employee in November 2008. The information was not encrypted.
  • A recent UK survey, carried out by a data security firm, found an estimated 9,000 USB sticks have been left in people's pockets when they take their clothes to the dry cleaners.

For more information see www.privacy.org.nz or contact:
Annabel Fordham tel 04 474 7590 or 021 509 735 or email enquiries@privacy.org.nz


Privacy Commissioner Marie Shroff will be speaking about the PSD survey results at a business seminar on Tuesday April 5, 3.30pm, at the Ernst & Young offices, Level 5, 34-36 Cranmer Square, Christchurch. Media are welcome to attend.