As anyone who's ever left a USB key in a Kinko's knows,
it's easy to lose a mobile device containing sensitive user
information. As a recent statement from the Newfoundland and
Labrador's Office of the Information and Privacy Commissioner
(OIPC) shows, taking preemptive steps to make the user information
on a mobile device more secure could protect the information
– and your organization – if the device ever falls into
the wrong hands.
In June of 2015, someone at Eastern
Health, the provincial health authority for Newfoundland and
Labrador, lost a non-encrypted flash drive containing the names,
Social Insurance Numbers, and identification numbers of some 9,000
Eastern Health employees. Luckily for Eastern Health, and its
employees, the missing flash drive was ultimately found in a file
folder and recovered. Even so, under section 15 of Newfoundland and
Labrador's Personal Health Information Act,
Eastern Health was required to notify OIPC of the loss, and OIPC
was entitled to review and make recommendations on Eastern
Health's data security practices.
OIPIC didn't bring charges though – not just because
the drive was found, but because it was satisfied that Eastern
Health had taken steps to make sure that in the future, if another
drive was lost, the user data would remain secure and
Lessons for organizations that collect user information
Any organization that handles user information can learn from
Eastern Health's experience. Based on what OIPC has said, here
are six tangible steps your organization can take to protect user
data in the event of a breach:
Don't use Social Insurance
Numbers as employee IDs. Generate a unique number that's not
used outside your organization.
Require your employees to verify
their identify in order to access user information. Don't just
rely on passwords, which could be compromised – use security
questions that only the employee would be able to answer.
If there are non-encrypted USB drives
floating around your organization, make sure that they're
returned and destroyed.
Consider upgrading your
organization's antivirus platform so that any non-encrypted USB
drives will automatically become encrypted.
Make sure all other mobile devices
that your organization has already issued are locked down or
Have a forward-looking policy on how
your organization issues, controls, and uses mobile devices.
The takeaway? Data security doesn't just mean building walls
against unauthorized intruders; it's just as important to think
about how you'll protect the user data your organization
collects if the device that holds it falls into the wrong hands.
Protect it properly, and you may limit your liability down the
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).