USB devices offer a convenient way to transfer data between two computers. However, their small physical size and large data capacity means that large volumes of personal data can be lost or stolen with relative ease.

Furthermore, if personal data is not securely wiped from USB devices prior to reuse there is a possibility that data considered deleted by the data controller could be recovered by a third-party.

Personal data can be encrypted by placing the files within an encrypted container on a USB device but requires the recipient to have access to the same encryption algorithm or software.

Hardware encrypted USB devices are also available which contain the necessary encryption capability embedded within the device, meaning that the data can be decrypted without the need for the user to install additional software. Due to a number of security risks present in permitting the use of USB devices, a number of organisations have implemented policies which forbid or technically limit the functionality of USB devices.

The sender would also need to consider a method to transfer the key or password to the recipient over a separate communication channel.

Example

North East Lincolnshire Council was issued with a civil monetary penalty of £80,000 after a serious data breach resulted in the sensitive information of hundreds of children with special educational needs being lost.

The information was stored on an unencrypted memory stick and went missing after the device was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop the memory stick was gone and it has never been recovered.

The device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements. The device also included the pupils’ dates of birth and some included details of their home addresses and information about their home life.