Policies Alone Don’t Provide Protection

During our work we often hear a familiar reassurance: “We have a policy for that.” It sounds comforting and responsible. But a recent decision from the Office of the Privacy Commissioner (PBN3791), involving something as ordinary as a lost USB stick, is a sharp reminder that policies alone don’t protect anything.

In this case, a USB device containing personal information was lost. There was nothing sophisticated about the incident, no cyberattack, no insider threat, no complex system failure. Just a small, portable device going missing. And yet, this resulted in a notifiable privacy breach because the loss of that information created a risk of serious harm. A simple mistake quickly became a much larger issue.

Incident like this almost never occur in organisations that have no policies at all. In fact, it is far more likely that policies already existed including rules about handling personal information, expectations around device use, perhaps even guidance about removable media. But somewhere between what was written and what actually happened, there was a gap. The USB stick was still used, still carried, and ultimately still lost.

Policies are static, but risk is not. A document that says “do not use unencrypted USB devices” does nothing if those devices can still be plugged in, if data can still be copied, and if no one is monitoring or enforcing the rule. A policy can describe the right behaviour, but it cannot guarantee it occurs.

The real issue, then, is not whether a policy exists, but whether the organisation has translated that policy into something operational that staff follow. If personal information can leave your environment on a device that can be easily lost, then the existence of a policy prohibiting that behaviour offers little protection after the fact.

What is required to mitigate the risk is a combination of controls, readiness, and culture. Technical measures such as device control, encryption enforcement, and data loss prevention reduce the likelihood that sensitive information can be copied onto unsecured media in the first place. Operational readiness ensures that if something does go wrong, the organisation can quickly assess the risk, determine whether serious harm is likely, and meet its notification obligations. And culture is what shapes whether people follow processes when no one is watching, and whether incidents are reported quickly rather than quietly ignored.

The lesson from the lost USB stick is not really about removable media. It is about the illusion of safety that policies can create. If your protection relies on people remembering and consistently following a written rule, then you likely don’t have protection but rather you have hope. And hope is not a control.

At ThreeBlackCats, we focus on helping organisations move beyond paper compliance to operational privacy, where controls, behaviours, and response mechanisms work together in the real world, not just in documentation.