The cost of a USB flash drive may be insignificant but the value of the data it might contain can be priceless.” With this statement in a study published by the European Network and Information Security Agency (ENISA) in June, Executive Director Andrea Pirotti alerted companies to supervise their employees’ use of USB flash drives. In today’s digital environment, the use of portable devices such as USB flash drives by corporate end-users is becoming more popular. These tools are convenient when traveling or working at home, and the capacity for storing data on USB flash drives has increased significantly in recent years. However, the data on these plug and play devices is often insufficiently protected and their use is not always subject to corporate policies, back-up requirements, or encryption measures.

ENISA’s recent study shows that the loss of a USB flash drive by a corporate end-user may have devastating financial consequences for a company. According to ENISA, the average cost per breach ranges from approximately $100,000 to $2.5 million. These figures can be explained by the fact that USB flash drives often contain sensitive business information.

According to a study conducted by the Ponemon Institute, more than half of the employees interviewed confessed to copying sensitive business information to USB flash drives, even though the vast majority of their employers prohibit such practice.

In the United States, loss of personal information stored on USB drives would trigger data breach notification state laws, and associated requirements.

Consistent with similar U.S. recommendations, ENISA emphasized the need for educating employees sufficiently about the risks involved in using USB flash drives and similar devices. ENISA also encouraged companies to develop security policies that employees should follow. Other preventive measures, such as the use of encryption methods, should also be considered.

Although not covered by the ENISA study, data breaches as a result of USB flash drive loss or theft can have major legal consequences. For instance, if confidentiality is a common clause in many business contracts today, loss of data relating to such business contracts could be viewed as a contractual breach.

Recently, the British government terminated its agreement with a consulting firm after the firm lost the personal data of convicts in England and Wales. UK Home Secretary Jacqui Smith ended the contract saying that “this was a clear breach of the robust terms of the contract covering security and data handling.”

The ENISA study makes it clear that corporate end-users should handle USB flash drives with extreme care. They should always keep in mind that losing data on a USB flash drive could harm the company’s reputation or financial position, lead to the loss of jobs, or even result in the company’s bankruptcy.


The ENISA study may be found here.