A report in the Air Force Times indicates a laptop containing personally identifiable information (PII) about 1,000 West Virginia Air National Guard members was stolen during a training trip in November. The spokesperson for the Air National Guard indicated:
“The Air Force uses some of most sophisticated encryption processes to safeguard information on government computers”
…implying the data on the laptop was encrypted, but not coming right out and saying it was.
On November 27 the Chicago Tribune reported:
“A printing contractor for the Chicago Public Schools said Sunday that it mistakenly mailed a list of names, Social Security numbers and home addresses of nearly 1,740 former school employees as part of a packet of health-insurance information to them.”
Oops! Another privacy breach resulting from a combination of human error and actions by an outsourced vendor.
Last week I was at the Computer Security Institute 33rd Annual Computer Security Conference & Exhibition where Chris Grillo and I also gave our post-conference seminar, “Effectively Partnering InfoSec and Privacy For Business Success“. It was interesting to hear the folks attending both the conference and our seminar express their concerns related to information security and privacy. I am always intrigued by the various viewpoints of folks in not only different industries, but also of those who have very little experience in dealing with information security, privacy and compliance versus those with a great amount of experience. It is very noticeable how the viewpoints shift from trying to address primarily only technical issues (overwhelmingly those with little experience) to the viewpoint of incorporating the issues throughout the entire enterprise and into all processes through procedures, awareness and responsibilities (overwhelmingly those with much experience).
And yes…still another example of a laptop with clear text personally identifiable information (PII) being stolen.
Villanova University confirmed on 11/2 that a laptop with information about 1,200 of their students and staff members, along with other individuals not part of Villanova, was stolen from their auto insurer, Hilb, Rogal & Hobbs in September. Notifications went out to the involved individuals on October 26.
The Boston Herald reported a laptop “holding Social Security numbers of current and former staffers was stolen out of Greater Media’s Philadelphia offices.”
Greater Media is offering credit monitoring to the impacted individuals “if staffers sign up by the end of the year.”
Thursday, 11/2, the VA confirmed a computer containing data about 1,600 U.S. military veterans was stolen from their Manhatten hospital.
According to the report, it was stolen from “a locked room in a locked hallway at the VA hospital. The theft occurred Sept. 6, but VA officials sent out a letter to veterans only within the past two weeks. The personal data of about 1,600 people was on the computer’s hard drive. It was the third theft of personal data from a VA facility in less than a year.”
I am a big advocate of encryption. It is such a great tool for protecting sensitive and personally identifiable information (PII), particularly for such data that moves…while on mobile devices, storage devices, and while being transmitted through networks. Historically it was a challenge to implement.
In the past few years implementation has been getting much easier, and continues to improve. However, it is still no surprise, but yet a disappointment, that a recent study from Credant Technologies, Inc., yes, an encryption solution vendor, found that out of 426 IT practitioners interviewed throughout the world, 88% know sensitive data and PII is on their personnel’s mobile computers, but the only 20% have deployed encryption for such devices. Note the encryption is deployed; I would bet that the actual amount of PII and sensitive data encrypted on those devices is actually much lower.
I am a big advocate of encryption. It is such a great tool for protecting sensitive and personally identifiable information (PII), particularly for such data that moves…while on mobile devices, storage devices, and while being transmitted through networks. Historically it was a challenge to implement.
In the past few years implementation has been getting much easier, and continues to improve. However, it is still no surprise, but yet a disappointment, that a recent study from Credant Technologies, Inc., yes, an encryption solution vendor, found that out of 426 IT practitioners interviewed throughout the world, 88% know sensitive data and PII is on their personnel’s mobile computers, but the only 20% have deployed encryption for such devices. Note the encryption is deployed; I would bet that the actual amount of PII and sensitive data encrypted on those devices is actually much lower.
A solution for addressing laptop thefts and losses was described in a press release today. The product uses GPS in combination with encryption to locate stolen and lost laptops quickly in addition to being able to delete sensitive files from lost or stolen computers.
I know nothing about this particular product, "MyLaptopGPS," beyond this press release, but the concept is good, and there may be other products out there that do the same thing. Security in layers does not just apply to networks; it applies to all aspects of information security.
In fact, with regard to mobile computing devices it is good to take MANY safeguards, a few of which include:
Technorati Tags
information security
IT compliance
policies and procedures
encryption
awareness and training
laptop theft
privacy
In this episode I discuss how encryption supports compliance as well as effectively protects personal information. Encryption is an under-utilized security tool. Considering the infinite number of today’s risks, threats and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks. In today’s business environment with sensitive information being stored in multiple locations, many of them mobile, encrypting information is an effective privacy safeguard organizations can add to their arsenal of safeguard tools. I also discuss incidents that occurred and how the laws, regulations, and regulatory bodies encourage the use of encryption.
Subscribe to this site's RSS feed. However over icon to see which services are supported.