Proliferating flash drives and other personal memory devices are causing corporate IT managers to rethink data security policies and enforcement. But the balance between corporate security and user convenience has never been more difficult to achieve, because ubiquitous thumb-size drives can hold gigabytes of corporate information.

"In many cases, it's an unrecognized security problem," says Jack Gold, founder of J. Gold Associates, an IT consulting firm. "And it's not just flash drives. A lot of users have discovered that iPods make convenient backup devices."

But there can be huge consequences for IT departments that neglect the problem, Gold says. "Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device," he says. "And often, the company won't even know the employee has done it." The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines, according to Gold.

"The payback for doing a good job with security for these personal devices is preventing a US$10 million to US$30 million company liability," Gold says.

Data Guardians

While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost.

At the less restrictive end of the spectrum is Children's Home Society of Florida (CHS), an adoption and family counseling agency in Winter Park.

"We deal with private medical information, and so it's been a long-standing problem," said CIO John Valleau. "Our employees have floppy disks, flash drives and iPods to which information can be transferred."

Although CHS has a "thou shalt not copy" policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn't about to ban them, because "some people might need to carry protected medical records from one location of ours to another." As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm's 210 offices around Florida.

Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.

"While personal storage devices haven't been a big problem for us, we need to be able to prove that we are protecting patient information," says Mark McGill, a network engineer who administers security for 900 workstations and 1,200 users at Ellis Hospital.

"Many people have access to patients' Social Security numbers, personal information and diagnoses. So we toyed with banning flash drives and camera phones -- a double threat when the camera phones contain memory cards that can hold data -- but some people have a valid use for them," he explains. "And when we started to lock things down, the users screamed. One doctor said he couldn't give his PowerPoint presentation at another hospital."

McGill's solution was to install Sanctuary, a network monitoring product from SecureWave SA in Luxembourg that can restrict the use of personal storage devices based on a user's identity, individual PC workstations or the type of personal data device being connected to the network. Exceptions can be made for reasonable data- access requests, he says. However, the software can't protect against the use of a camera phone not connected to the network, so the hospital relies on a policy limiting where photos can be taken.