Today the North Carolina Charlotte Observer reported a laptop was stolen from the car of an N.C. Department of Revenue employee in December.
They mailed letters to all 30,000 individuals this week. According to the report this is the first time notifications have been made within N.C. since they put their privacy breach notification law for government agencies into effect during the fall of 2006.
A few details about the incident that were reported:
“The state employee was attending a department seminar at a Raleigh hotel in mid-December when a thief broke into her car and snatched the computer, according to Kim Brooks, the department’s spokeswoman. The files did not include tax returns but did hold data such as Social Security numbers or federal employer identification numbers and tax debt owed to the state.”
As I have questioned many times in the past, why is an organization allowing an individual to load files with information about such a huge number of people onto a laptop computer?
“Brooks said that it is unusual for a single computer to hold so many files but that the employee was working on issues that required having the information accessible. “Some (department employees) do have laptop computers,” Brooks said, “because when they go out to talk to taxpayers that’s often the fastest way to not only record data but have access to it when they need it.””
If an employee is going to drive to homes to talk to taxpayers, then why not take the information JUST FOR THOSE TAXPAYERS? How many can they realistically visit in a day? 4? 5? 6? Having information about 30,000 taxpayers loaded on a laptop on wheels is certainly beyond excessive, is not necessary, and puts that information at huge risk for, gee, let’s see, perhaps laptop theft? Laptops are reported as stolen every day.
“The employee’s car was locked, and she had followed department policies about securing the computer, Brooks told the Observer. The computer contained security features, but Brooks said officials are examining additional software safeguards.”
Okay, if an employee left a laptop containing a huge amount of personally identifiable information (PII) in a car and was following department policies for computer security, there are obviously some information security policies missing from the N.C. Department of Revenue! Policies similar to the following should basically be in place for all organizations.
* Laptops containing sensitive information and PII should not be left unattended in cars. Even if the car is locked…a locked car slows down a thief only a few seconds.
* Large amounts of PII should not be allowed to be loaded on laptops and other mobile computing devices that are taken out of the facilities. There are so many laptop thefts, and laptops are so easy to lose, that you’re basically asking for an incident to happen by allowing PII databases onto mobile computers.
* Any PII and other sensitive data allowed onto mobile computing devices should be strongly
encrypted. That way when the almost inevitable theft or loss occurs, the data cannot be compromised.
“The Department of Revenue did not announce the theft earlier because it was likely the thieves did not know what they had, and it gave the department time to contact taxpayers by letter.”
C’mon, how can you know the knowledge or plans of unknown thieves? This type of statement drives me crazy, as it does most of the other consumers impacted by these incidents. Organizations should not publish these types of statements; it is condescending to the victims, and in the vicitims’ perspective it appears the organization is minimalizing the fact that their PII is now in the possession of some unknown person who can use it to do all sorts of bad things to their credit.
The article provides some interesting facts…re-emphasizing some that have been highly published…
“A majority of the more than 200 data security breaches revealed nationwide since 2005 have come from government agencies, including four of the seven incidents in North Carolina. Last September, for example, the N.C. Division of Motor Vehicles notified 16,000 people whose information was inside a state-owned computer stolen in Louisburg. In May, a laptop computer with the Social Security numbers of 17.5 million veterans was stolen from the home of a U.S. Department of Veterans Affairs analyst near Washington.”
A majority of data security breaches nationwide are within government agencies.
Sounds like time (over-due) to have a comprehensive federal data protection law, including breach notice requirements, that apply to ALL organizations that handle PII, doesn’t it?
Tags: awareness and training, encryption, government, Information Security, IT compliance, laptop theft, policies and procedures, privacy, privacy breach