Privacy Commissioner slams use of PSD’s

New Zealand's Privacy Commissioner has issued a highly critical report highlighting the security issues surrounding the use of personal storage devices (typically USB drives) in government departments.

The results of a recent survey of 42 main government agencies have been released, and the Privacy Commissioner has condemned the use of personal storage devices (PSD’s). In her comments, Marie Shroff stated that there were "real gaps" in security procedures and policies which would "put government agencies at risk".

The most common PSD’s are compact USB storage devices, commonly known as "flash drives" or "pen drives". They have become common in the workplace as they are a cheap and simple way of storing and sharing files. "They have become an integral part of they way we work," she said. "But you don’t actually want someone to accidentally or deliberately misuse it."

"[Personal storage devices] are small, lightweight and easy to use, and can store vast amounts of information, but are easily misplaced or stolen… their use in the workplace presented security risks, particularly if the devices contain unsecured or sensitive data," she said.

"It is particularly concerning that some of the agencies with poorer practices are flagship departments that hold the personal details of thousands of ordinary New Zealanders," Ms Shroff said. "It appears that personal information is not being treated with the same care and respect as 'classified' or 'sensitive' information."

People had "not yet woken up to the implications" of losing data through devices if they were lost or stolen. "But the penny is going to drop over the next couple of years. There is actually quite some risk and we have to get up to speed. We have seen the overseas incidents of how easily PSDs containing large amounts of sensitive information are lost or mislaid. We want to avoid similar events affecting New Zealanders. We want to get it right before we get it wrong."

This is not the first time the Privacy Commissioner has drawn attention to this issue, however it is undoubtedly her strongest condemnation of PSD usage. Many government agencies, organisations and businesses are now adopting policies of their own to eliminate the risk of data misappropriation through the use of PSD’s. Some are going as far a gluing up the USB ports on computers that employees have access to. This practice has been common overseas for several years.

Although government agencies are the target of Ms Shroff’s comments, practices in the private sector are of similar concern. It is important to protect business continuity through the use of a robust backup system, however careful thought also needs to be given to the protection of any information that is taken off the premises.

Employers are advised to:

• Have a formal policy on the use of PSD’s that is actively communicated to staff
• Staff should be prevented from using their own PSD’s at work
• Businesses should monitor and audit the use of PSD’s
• Staff should me made aware of the need to report the loss of a PSD
• Private information should not be taken off the premises on a PSD