GDPR

Data breach from a lost USB: step-by-step plan for the first week

28 May 2026 · 8 min read · DeSnipperaar

A colleague reports this afternoon that she can no longer find a USB stick with customer data. Maybe left in the train yesterday, maybe at a customer reception desk, maybe dropped somewhere along the way. What now? The coming hours determine whether this becomes a manageable incident or a mandatory-notification incident with more headache than necessary.

First hour: establish the facts

What was on it? Which documents, how many records, which categories of personal data? The employee often knows roughly, not exactly.
Was it encrypted? With BitLocker To Go, VeraCrypt, or a hardware-encrypted stick (IronKey, Kingston DT4000, etc.)?
When last seen? A timeline helps with searching and with the notification assessment.
Where last seen? Train, customer reception, own bag, own desk.
Is there a backup? For the operational side: can we continue the work?

Encrypted? Then you are often notification-free

If the USB is hardware-encrypted with strong crypto and the PIN/password has not been lost together with the stick, the encryption qualifies as an ‘appropriate technical measure’. The AP has previously ruled that a lost encrypted device is usually not a notifiable data breach, provided the encryption truly works and the key is kept separately.

Document:

Type of encryption (AES-256 hardware, BitLocker To Go).
When the password was last changed.
Evidence that the key was not stored with the stick.

Not encrypted? Follow the notification duty

An unencrypted USB with personal data is a data breach that is (almost always) subject to notification. Follow our detailed data breach 72-hour step-by-step plan:

Determine nature and scope.
Risk assessment: are there consequences for data subjects?
Notify the Autoriteit Persoonsgegevens within 72 hours.
Assess whether data subjects must be informed (article 34 GDPR).
Document everything in the data breach register.

First 24 hours: search and mitigation

Search

Ask the employee to retrace the last-seen route.
Call the customer reception where last used.
Report to NS / public transport lost-and-found if relevant.
Check your own office spaces.

Mitigation

Customer passwords (if known) warned or reset.
Bank details: notify the customer, possibly block the bank card via the fraud reporter.
Identity data: inform the data subject about vigilance for identity fraud.
BSN copies: extra alertness; read about BSN and patient data for the healthcare component.

Day 2-3: notification

Fill in the online form on autoriteitpersoonsgegevens.nl.
Data breach register update: new incident plus steps.
Internal communication to affected departments.
Assess whether notification to data subjects is required (in case of high risk to rights and freedoms).

Day 3-7: lessons and prevention

Here comes the prevention component. A data breach is an occasion to eliminate similar risks elsewhere:

Inventory all USB sticks in the organisation. Many employees have one in their drawer that they forgot long ago.
Set a policy: may employees still put personal data on a USB? Or only on encrypted sticks? Or not at all?
Destroy old USB sticks. Read about disposing of USB sticks for the DIN E route.
Mandate encryption via group policy.
Document in the data breach register that preventive action has been taken.

The biggest mistake after a data breach is only notifying and not acting preventively. An AP visit asks ‘what have you done to prevent recurrence?’

The role of on-site destruction after a breach

After a lost USB, a group destruction of similar media is almost mandatory. It gives you two things:

Evidence that you have acted preventively (for AP investigation).
Actually less risk of recurrence.

We do this on site within 5 working days of the request. Staff hand in their USB sticks in a sealed bag; we destroy on the spot to DIN E-4. For the broader context of what does not belong in the paper bin, see what does not belong in the paper container.

Prevention for next time

Policy: no unencrypted USBs with personal data.
Hardware-encrypted sticks issued by the employer.
Promote a cloud alternative: SharePoint, OneDrive, Box for file sharing instead of physical.
Annual USB inventory and destroy old ones.
On leaving: standard return of all USBs as part of off-boarding.

Endnote: what is the real risk?

Most lost USBs do not end up in the hands of someone who deliberately reads them out. A USB found in the street is often dropped into a regular waste bin or used as a personal find without inspecting the earlier contents. The realistic scenario is usually not ‘data in enemy hands’ but ‘unknown fate’. Under the GDPR the latter counts just as much: you cannot rule it out, so caution is warranted.

USBs in stock? Destroy them in one trip.

We come on site with a mobile E-shredder and destroy your collection of USB sticks at DIN E-4 or E-5. With a certificate per stick.

Request a quote

Had a data breach? Email us via desnipperaar.nl within working hours for urgent scheduling of similar hardware destruction.