Over 100,000 former adult students in Virginia are being contacted by the education authorities after a USB stick with information including their names, social security numbers and employment and demographic details, was misplaced.
The data was not encrypted, the Washington Post reported this week.
The data was lost after a department employee handed over the USB stick to a Virginia Tech employee who required the information for federally mandated research. The USB stick was lost the following day.
According to the Post, the education department in Virginia said that measures to protect the data were in place – policies and secure systems – but added that no policy or system is immune from human error.
Human error alone, however, does not justify the fact that the data was misplaced or that it was allowed to be taken out of the building.
If data is confidential there are more secure methods of transportation. For example, data could have been sent via a secure web portal eliminating the risk of loss during transit. Encrypting the data, especially on a drive, is a must and should be standard policy for every organization – small or large – that handles confidential data. There should also be clear policies that stipulate who can and cannot handle the data and who has access to it.
This story once again shows how important it is for organizations to look beyond technology measures where the security of their data is concerned. No one is immune to human error but planning and implementing user policies can go a long way to lower the risk. Organizations need to be able to track where their data is at all times and ensure that it cannot be compromised along the way. And security policies not only need to be watertight but enforced as well.
The loss of 103,000 student records is a serious breach of trust that could have been avoided with better policies in place. Of greater concern is the loss of credibility as a result of such incidents.
This case can be added to a huge list of data breaches. According to the Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches in the US since January 2005 is: 339,863,601.