The Lost USB Drive: A Data Privacy Nightmare

The Scenario

Michael Weber is the Head of Human Resources at a mid-sized manufacturing company with 120 employees. On a Friday afternoon, he copies the payroll records and personnel files of 35 employees onto a USB drive because he wants to continue working from home over the weekend. The payroll specialist had asked him to resolve some discrepancies by Monday.

On his way to the parking garage, Michael stops briefly at the supermarket. He places his laptop bag in the shopping cart. At the checkout, he packs his groceries and drives home. It is not until Sunday evening, when he searches for the USB drive, that he realizes it is gone. It most likely slipped out of his bag in the supermarket.

On the USB drive: the full names, addresses, and dates of birth of 35 employees. Social security numbers, tax IDs, and bank account details. Salary figures and bonus agreements. Sick notes and information about health conditions. In two cases, formal warnings with details about misconduct. And copies of national identity cards.

The USB drive was not encrypted. No password. No device management. No ability to remotely wipe the data.

Michael calls his supervisor on Monday morning. A race against time begins: within 72 hours, the relevant data protection authority must be notified. All 35 affected employees must be informed. And the company must prepare for uncomfortable questions — starting with why sensitive personnel data was being transported on an unencrypted USB drive in the first place.

The Risks

Identity theft: With the data on the USB drive — name, date of birth, address, tax ID, social security number, and bank account number — a finder or thief has everything needed for complete identity theft. Credit applications, online purchases on someone else's account, opening new bank accounts — the potential for abuse is extensive.

Blackmail and social harm: Information about salaries, formal warnings, or health conditions can be used for blackmail or made public. The affected employees may suffer not only financial but also deep personal harm.

No traceability: Unlike a digital system, with a physical storage medium there is no way to determine whether and by whom the data was accessed. The company cannot give its employees the all-clear.

Risk of repetition: If USB drives are an established transport medium within the company, it is only a matter of time before the next drive goes missing. Research by the Ponemon Institute found that companies lose an average of 12,000 USB drives per year.

Malware risk: Even if the drive is found and returned, there is a risk that it has been tampered with. An attacker could place malware on the drive and intentionally leave it where it will be found — a method known as a "USB drop attack."

Legal Consequences

The loss of an unencrypted USB drive containing personal data is a reportable data breach under the GDPR.

Art. 33 GDPR — Breach notification: The company must report the incident to the competent supervisory authority within 72 hours. The notification must describe the nature of the breach, the categories of data affected, the approximate number of individuals concerned, and the countermeasures taken.

Art. 34 GDPR — Notification of affected individuals: Since the incident poses a high risk to the personal rights and freedoms of those affected, all 35 employees must be individually notified.

Art. 32 GDPR — Appropriate security measures: The company failed to implement appropriate technical and organizational measures. Unencrypted USB drives as a transport medium for personnel data represents a clear violation.

Fines: Supervisory authorities have imposed fines between 10,000 and 100,000 euros in comparable cases. The UK's ICO imposed a fine of 120,000 pounds on a health authority in 2019 after USB drives containing patient data were lost.

Employment law consequences: Michael Weber may face employment law repercussions — from a formal warning to immediate dismissal, depending on internal policies and the severity of the damage.

How to Prevent This

With SendMeSafe, Michael Weber would never have found himself in this situation. Instead of copying data to a USB drive, he could have shared it securely and digitally.

1. Secure file sharing: Michael creates a share link for the relevant documents. The link is password-protected and has an expiration date. He can securely access the files from home through his browser.

2. No physical media needed: All data remains on SendMeSafe's encrypted European servers. Nothing needs to be copied to USB drives, external hard drives, or personal devices.

3. Access control: The share link can be given a download limit. After access, the link is automatically deactivated. Should Michael no longer need the link, he can revoke it manually at any time.

4. Complete audit trail: Every access is logged. The company knows at all times who accessed which data and when. In the event of a review by the supervisory authority, this documentation can be presented.

5. Encryption at all levels: Data is stored with AES-256 encryption and transmitted over SSL/TLS-protected connections. Even if unauthorized access were to occur, the data would be unreadable.

6. Data minimization: Through SendMeSafe, Michael can share only the specific documents he actually needs — not entire directories or database extracts.

Conclusion

USB drives are relics of a bygone era in data management. They offer zero encryption by default, no access logging, no remote wipe capability, and they are small enough to lose in a grocery store. Yet countless organizations continue to use them for transporting their most sensitive data.

The safest USB drive is the one you never need. SendMeSafe eliminates the requirement for physical storage media entirely by providing secure, encrypted, browser-based access to documents from anywhere. Register now and leave USB drives where they belong — in the past.

Frequently Asked Questions

Am I as an employee allowed to copy company data onto USB drives?

That depends on your company's internal policies. Many organizations have already completely banned USB drives as a data transport medium. Regardless of internal rules, as an employee you share responsibility for protecting the data you work with. When in doubt, ask your data protection officer and use a secure digital alternative.

What should I do if I have lost a USB drive containing company data?

Inform your supervisor and data protection officer immediately. Document when and where the loss was noticed and what data was on the drive. The company must then decide whether a report to the supervisory authority is required. Do not attempt to conceal the incident — that makes the situation significantly worse and can lead to additional legal consequences.

Is password-protecting the USB drive not enough?

Password protection is better than no protection at all, but it is not sufficient. Many USB drive encryption methods can be bypassed with freely available software. Additionally, the problem of missing traceability remains: you cannot know whether the data was viewed. A cloud-based solution with a genuine audit trail offers significantly more security.

How can I reduce USB drive usage in my company?

Provide a secure, easy-to-use alternative. With SendMeSafe, employees can securely share documents and access them from anywhere — without USB drives, without VPN tunnels, and without complicated encryption software. Supplement this with a clear policy prohibiting the use of unencrypted USB drives for personal data, and conduct regular training to reinforce the message.