Years ago, we started a project that required us to be onsite reviewing case files to collect data. To do this, we used a password-protected database pre-populated with some basic information, including names, birth dates, and services being used, stored on a flash drive. Can you already see where this is going?
Although we had a password for the database, it was not encrypted, nor was the flash drive itself, so could potentially be hacked. When the flash drive went missing one day (we think accidentally thrown away with some papers), we suddenly started thinking of all the nightmare scenarios that could happen to the vulnerable people for whom we had data. You’ve seen similar stories in the news, including a recent theft of an unencrypted laptop.
It was difficult to go through an experience like this, but it made us a stronger and more data secure organization early on in our business development. Out of this incident we developed a 4-pronged response which we have never had to use since:
- Directly notify the client that there may be a security risk and assume full responsibility for any fallout from the error
- Minimize the immediate problem by notifying all affected individuals and providing them with some electronic protections (credit monitoring and identity theft insurance).
- Develop practices which reduce the likelihood of error. For example, for this project, we now have a practice of wearing the flashdrive on a lanyard during transport.