Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:
1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.
2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.
3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.
If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.
Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.