Public Works cracked down on use of USB drives after high-profile losses at HRSDC

The Feb. 12 memo, sent to Ambrose about one month after HRSDC publicly announced the loss of a portable hard drive containing the personal information of 583, 000 Canada Student Loan borrowers. That followed revelations that HRSDC had also lost a USB drive with the personal information of more than 5, 000 Canada Pension Plan disability claimants.

Neither device was encrypted nor password protected, as required under federal policies.

Public Works was one of those departments that uses portable storage devices to move around sensitive files. According to the memo, the rules about what USB keys would be allowed inside the department were to be tightened on March 1. An accompanying note to staff laid out the new rules:

Only approved USB sticks with encryption capabilities would be allowed to store protected or classified information
Department officials had to keep a record of each approved USB stick, including who it was assigned to, the date it was assigned, an identification number for the device, and “the highest level of security classification stored on the device”
A prohibition on connecting any personal devices, such as USB sticks, smartphones, and MP3 players, to any departmental computer
“The approach we are pursuing will allow for the continued use of USB flash drives for users with a legitimate business or operational need, while making it mandatory to use only departmentally approved USB flash drives with encryption capabilities for protected or classified information, ” reads the briefing note to Ambrose.

The department confirmed the new rules are in effect and security staff continue to perform inspections to prevent violations of the rules. Here’s what department spokesman Sébastien Bois said in an email:

“Use of USB memory sticks is restricted to business purposes to temporarily store or transport electronic information. PWGSC has mandated the use of only approved encrypted USB memory sticks for the transport and temporary storage of protected and classified information. PWGSC has also strengthened its awareness efforts to ensure that employees understand the appropriate use of USB sticks and their responsibilities. Personal USB keys or other devices must not be connected to a PWGSC desktop or notebook computer. ”