Personal memory device security leaks

Computerworld - Proliferating flash drives and other personal memory devices are causing corporate IT managers to rethink data security policies and enforcement. But the balance between corporate security and user convenience has never been more difficult to achieve, because ubiquitous thumb-size drives can hold gigabytes of corporate information.

"In many cases, it's an unrecognized security problem," says Jack Gold, founder of J. Gold Associates, an IT consulting firm in Northboro, Mass. "And it's not just flash drives. A lot of users have discovered that iPods make convenient backup devices."

But there can be huge consequences for IT departments that neglect the problem, Gold says. "Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device," he says. "And often, the company won't even know the employee has done it." The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines, according to Gold.

"The payback for doing a good job with security for these personal devices is preventing a $10 million to $30 million company liability," Gold says.

Data Guardians

While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost.

At the less restrictive end of the spectrum is Children's Home Society of Florida (CHS), an adoption and family counseling agency in Winter Park.

"We deal with private medical information, and so it's been a long-standing problem," said CIO John Valleau. "Our employees have floppy disks, flash drives and iPods to which information can be transferred."

Although CHS has a "thou shalt not copy" policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn't about to ban them, because "some people might need to carry protected medical records from one location of ours to another." As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm's 210 offices around Florida.

Source: Exclusive Computerworld survey, March 2006

Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.

"While personal storage devices haven't been a big problem for us, we need to be able to prove that we are protecting patient information," says Mark McGill, a network engineer who administers security for 900 workstations and 1,200 users at Ellis Hospital in Schenectady, N.Y.