Lost USB Drive Involved In Death – ICO Fines Powerless

Reports link the loss of an unsecure USB drive which contained details about over 1000 police formants to the violent death of one of the suspects in the alleged theft.

The information went missing just weeks ago from the Greater Manchester Police after an officer brought the data home for work on an unsecure USB flash drive. This was in contradiction to a policy at the police force that mandated that all portable data be protected with encryption and passwords. This policy came in place after a similar data loss incident just ten months prior. This new incident involved the loss of the sensitive data that tracked the details of 1.075 police informants. The first incident prompted the ICO in the UK to issue a £120.000 fine which we reported about back then. The first loss prompted us to advocate a general ban of unsecure USB drives for government use.

The Daily Mail has published an article¹ which provide more details on the current case.
One of the main targets of the police operation that involved over 100 officers seemed to have been to recapture the unsecure USB drive that contained the data. It is unclear what the purpose of reclaiming the unsecure USB drive was as the data could be copied off the device to a second source at any point. Regular USB drives contain no record of who has copied data, it does not even trace if such an event ever took place.

There are many aspects to this tragic story, and many other are better suited to tell about it in all its facets. The IT security perspective is not the most important one, but it may be the one that holds the answers on how prevent events like these. It is tragic for all involved: victims, police officers and tech staff that something like this should take place. Especially when there are solutions readily available.

What also comes into question is the effectiveness of the ICO fines. The police force had already been fined £120.000 less than a year ago and still there seemed to be no signed of improvement. The only visible action is toothless paper tiger policy that says that data needed to be encrypted and password protected. The ICO forces there to be signs of improvement to avoid further fines. The policy was all that was needed to get of the radar of the ICO.

One thought might be to assign part of the fine as a mandatory purchase to avoid the problem to reoccur. The sensible thing to do is to ban the use of unsecure USB drives and unencrypted portable data for government use. There is no practical use for unsecure storage that cannot be replaced by encrypted storage. The costs involved in making the switch to a secure solution is not great.