Now that we've covered the common security use cases and discussed some of the tools that a data scientist needs to be aware of in their everyday activities, there's one last important item to note. While in their custody, the responsibility for data, including its security and integrity, lies with the data scientist. This is usually true whether or not you are explicitly told. Therefore, it is crucial that you take this responsibility seriously and take all the necessary precautions when handling and processing data. If needed, also be ready to communicate to others their responsibility. We all need to ensure that we are not held responsible for a breach off-site; this can be achieved by highlighting the issue or, indeed, even having a written contract with the off-site service provider outlining their security arrangements. To see a real-world example of what can go wrong when you don't pay proper attention to due diligence, have a look at some security notes regarding the Ashley-Madison hack here: http://blog.erratasec.com/2015/08/notes-on-ashley-madison-dump.html#.V-AGgT4rIUv.
Another area of interest is that of removable media, most commonly DVDs and memory sticks. These should be treated in the same way as hard drives, but with the assumption that the data is always unsafe and at risk. The same options exist for these types of media, meaning data can be secured at the application level or at the hardware level (excepting optical disks, for example, DVD/CD). With USB key storage, there exists examples that implement hardware encryption. The data is always secure when written to them, therefore removing the bulk of the responsibility from the user. These types of drive should always be certified to Federal Information Processing Standards (FIPS); generally, FIPS 140 (Cryptographic modules) or FIPS 197 (AES Cipher).
If an FIPS standard is not required, or the media is optical in nature, then data can be encrypted at the application layer, that is, encrypted by software. There are a number of ways to do this, including encrypted partitions, encrypted files, or raw data encryption. All of these methods involve using third-party software to perform the encrypt/decrypt functions at read/write time. Therefore, passwords are needed, introducing the issues around password strength, safety, and so on. The authors have experienced situations where an encrypted disk was handed from one company to another, and the handwritten password handed over at the same time! Apart from a risk to data security, there are also possible consequences in respect of disciplinary action against the individuals involved. If data is put at risk, it's always worth checking best practice and highlighting issues; it is very easy to become lax in this area, and sooner or later, data will be compromised and someone will have to take responsibility - it may not necessarily be the individual who lost the media itself.