Mark Twain once noted, and I paraphrase, "there are lies, damned lies, and statistics." There is also the observation that "to lie with statistics is easy. To lie without them is easier." What all this means is that when reporting a statistic, one also has to consider the information that makes up that stat. Unfortunately, I only have a number, so I'm slightly loath to report this but here it goes.... According to the HIPAA Blog, Roughly 5.8% of American adults have been victims of medical identity theft, with $20,160 being the average cost per victim. The author of the blog picked up the figure at a lunch sponsored by Scott & Scott and Chartis.
Mark Twain once noted, and I paraphrase, "there are lies, damned lies, and statistics." There is also the observation that "to lie with statistics is easy. To lie without them is easier." What all this means is that when reporting a statistic, one also has to consider the information that makes up that stat.
Unfortunately, I only have a number, so I'm slightly loath to report this but here it goes....
According to the HIPAA Blog,
Roughly 5.8% of American adults have been victims of medical identity theft, with $20,160 being the average cost per victim.
The author of the blog picked up the figure at a lunch sponsored by Scott & Scott and Chartis.
The latest US population count lies somewhere around 307 million. 5.8% translates to 17.8 million people and a total cost of--wait for it--$359 billion dollars. That's a mind-boggling amount of money. As a reference point, Microsoft's combined revenues for 2005 to 2009, inclusive, is $254 billion. Of course, for the medical ID theft, we have no reference point whatsoever: are the stats for last year? Or perhaps a combined total for the last 10 years? If so, what does 5.8% figure really mean? I wish some kind of supporting data had also been provided...
The latest US population count lies somewhere around 307 million. 5.8% translates to 17.8 million people and a total cost of--wait for it--$359 billion dollars.
That's a mind-boggling amount of money. As a reference point, Microsoft's combined revenues for 2005 to 2009, inclusive, is $254 billion.
Of course, for the medical ID theft, we have no reference point whatsoever: are the stats for last year? Or perhaps a combined total for the last 10 years? If so, what does 5.8% figure really mean?
I wish some kind of supporting data had also been provided...
Medical facilities have to comply with HIPAA/HITECH, and the use of encryption software is, for the lack of a better word, actively encouraged. I would assume that the use of encryption would curtail, or at least impact, the theft of medical information. However, there is no way to know. Consider all the ways that medical information can be stolen besides surreptitiously lifting laptops and external drives: Internal attacks (less than ethical doctors, nurses, EMTs, etc) Lost or stolen paper documents, folders, etc. A server hacking incident With the exception of the last one, where file encryption or database encryption could prevent access to sensitive data, there is no way for encryption to prevent theft. Digital data encryption can't be used on paper documents, and how can encryption stand against someone who has the required passcodes for accessing encrypted data in the first place? On the other hand, the rate of lost or stolen computers and external data devices (such as USB devices) is high enough that encryption can't be left on the backburner.
Medical facilities have to comply with HIPAA/HITECH, and the use of encryption software is, for the lack of a better word, actively encouraged.
I would assume that the use of encryption would curtail, or at least impact, the theft of medical information. However, there is no way to know. Consider all the ways that medical information can be stolen besides surreptitiously lifting laptops and external drives:
With the exception of the last one, where file encryption or database encryption could prevent access to sensitive data, there is no way for encryption to prevent theft. Digital data encryption can't be used on paper documents, and how can encryption stand against someone who has the required passcodes for accessing encrypted data in the first place?
On the other hand, the rate of lost or stolen computers and external data devices (such as USB devices) is high enough that encryption can't be left on the backburner.
Related Articles and Sites:http://hipaablog.blogspot.com/2010/07/interesting-stat-i-attended-lunch.htmlhttp://financials.morningstar.com/income-statement/is.html?t=MSFT&culture=en-US
If you're a HIPAA-covered entity, you probably want to use data encryption software to protect any sensitive patient data. Otherwise, when a breach occurs, you'll have to notify a number of people: under current HIPAA regulations, it means the HHS and affected patients. If a recent proclamation by the FTC is any indication, covered entities will have to watch out what they claim.
If you're a HIPAA-covered entity, you probably want to use data encryption software to protect any sensitive patient data. Otherwise, when a breach occurs, you'll have to notify a number of people: under current HIPAA regulations, it means the HHS and affected patients.
If a recent proclamation by the FTC is any indication, covered entities will have to watch out what they claim.
Rite Aid recently settled with the FTC and the HHS on charges that it failed to protect sensitive financial, medical, and health information. It's kind of expected, seeing how they were found dumping job applications and pharmacy labels full of personal information into your average open dumpster. The FTC and the HHS had launched an investigation after seeing on TV that Rite Aid had engaged in lax security. So far, nothing surprising about all of this. What caught my eye, however, is the following in the FTC press release: Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.[My emphasis] Yikes. That quote by Rite Aid is pretty much standard in all the breach notification letters I've read to date. You might be wondering what the FTC has to do with all of this. Basically, the FTC is also supposed to get involved, per the HITECH Act, whenever there is a HIPAA breach, until a final rule is enacted.
Rite Aid recently settled with the FTC and the HHS on charges that it failed to protect sensitive financial, medical, and health information. It's kind of expected, seeing how they were found dumping job applications and pharmacy labels full of personal information into your average open dumpster. The FTC and the HHS had launched an investigation after seeing on TV that Rite Aid had engaged in lax security.
So far, nothing surprising about all of this. What caught my eye, however, is the following in the FTC press release:
Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.[My emphasis]
Yikes. That quote by Rite Aid is pretty much standard in all the breach notification letters I've read to date.
You might be wondering what the FTC has to do with all of this. Basically, the FTC is also supposed to get involved, per the HITECH Act, whenever there is a HIPAA breach, until a final rule is enacted.
Not just laptop encryption like AlertBoot, but what if any type of tool or technology meant to protect data was used? It's debatable, and ultimately depends on what the HHS and the FTC want to do, I guess. We know, for example, that safe harbor--from sending breach notification letters, if a laptop is lost, stolen, missing, etc.--is granted by the HHS when protected health information is guarded with encryption software. On the other hand, look at the list of Rite Aid's "failures," per the FTC press release: Disposing of personal information, Adequately training employees, Assessing compliance with its disposal policies and procedures, and Employing a reasonable process for discovering and remedying risks to personal information. I'm willing to bet that failure to adequately comply with the above also impacted the final settlement figures. You'll notice that the use of encryption tools would not impact the above at all. One thing to be said about the use of encryption is that, if I recall correctly, you don't have to contact anyone about the loss of an encrypted device: not people "affected" by the breach, not the HSS, no one. And, if you don't alert anyone outside the business, there is no reason for the FTC or the HHS to come investigate you. Which means that, perhaps, the use of encryption could resolve a lot of headaches, more than the technology is intended to. I'm not too enthused about this conclusion, since proper data security requires a data security frame that includes medical encryption and other information security tools as well as the above four points (and others) detailed by the FTC. However, if I am a company that needs to comply with HIPAA, I'd be crazy not to accept any advantages extended to me. Data security is already pretty hard as it is.
Not just laptop encryption like AlertBoot, but what if any type of tool or technology meant to protect data was used? It's debatable, and ultimately depends on what the HHS and the FTC want to do, I guess.
We know, for example, that safe harbor--from sending breach notification letters, if a laptop is lost, stolen, missing, etc.--is granted by the HHS when protected health information is guarded with encryption software.
On the other hand, look at the list of Rite Aid's "failures," per the FTC press release:
I'm willing to bet that failure to adequately comply with the above also impacted the final settlement figures. You'll notice that the use of encryption tools would not impact the above at all.
One thing to be said about the use of encryption is that, if I recall correctly, you don't have to contact anyone about the loss of an encrypted device: not people "affected" by the breach, not the HSS, no one. And, if you don't alert anyone outside the business, there is no reason for the FTC or the HHS to come investigate you.
Which means that, perhaps, the use of encryption could resolve a lot of headaches, more than the technology is intended to.
I'm not too enthused about this conclusion, since proper data security requires a data security frame that includes medical encryption and other information security tools as well as the above four points (and others) detailed by the FTC.
However, if I am a company that needs to comply with HIPAA, I'd be crazy not to accept any advantages extended to me. Data security is already pretty hard as it is.
Related Articles and Sites:http://www.databreaches.net/?p=12712
As I've noted before, the SCADA worm (or, more accurately, the Stuxnet worm/Trojan) has nothing to do with drive encryption software like AlertBoot. But, perhaps a service that's included in AlertBoot could be of help.
I didn't realize it last week, but the worm affecting SCADA is actually parceled up with the Microsoft .lnk shortcut vulnerability, an attack that is spread around via USB drives. The attack kicks in automatically when a shortcut icon is displayed (I want to say "infected shortcut icon" but it sounds wrong for some reason). Disabling autorun and autoplay in Windows can't prevent the infection, according to zdnet.co.uk. In other words, you pop in an infected USB memory drive, open it up, and you're now infected. In order to prevent this from happening, you can get Sophos's Windows Shortcut Exploit Protection Tool for free. This was designed for people who don't use Sophos's antivirus software but need the protection. Microsoft currently doesn't have a fix.
I didn't realize it last week, but the worm affecting SCADA is actually parceled up with the Microsoft .lnk shortcut vulnerability, an attack that is spread around via USB drives. The attack kicks in automatically when a shortcut icon is displayed (I want to say "infected shortcut icon" but it sounds wrong for some reason). Disabling autorun and autoplay in Windows can't prevent the infection, according to zdnet.co.uk.
In other words, you pop in an infected USB memory drive, open it up, and you're now infected. In order to prevent this from happening, you can get Sophos's Windows Shortcut Exploit Protection Tool for free. This was designed for people who don't use Sophos's antivirus software but need the protection.
Microsoft currently doesn't have a fix.
The above was the question a commenter left after reading the zdnet story. Hm. That's an interesting question. As another commenter noted, probably because of the keyboard and the mouse: PS/2 ports are generally not found in modern computers, so the same port that is used to read and write to USB thumbdrives are also used for hooking up your input devices. Of course, perhaps the real question is "why are people popping in their USB flash drives into a critical system?" And maybe the answer is, "because they can." While encryption can't do much in the above situation, perhaps a security tool in AlertBoot's arsenal could be of help: Port control software. Port control allows an administrator to specify which devices can communicate via the USB ports. For example, mice and keyboards generally don't pose a risk and are required to make use of critical systems like SCADA, so they're allowed. On the other hand, perhaps that's not the case with other USB-based devices (your iPod, for example, shouldn't really be connecting to a machine that regulates a power plant). You can see how such an application would be invaluable for managing the security of critical systems. In fact, here's what our company's page on port control has to say: AlertBoot Port Control prevents unauthorized use of serial, parallel and other ports and controls access to CD-R of DVD-R drives USB ports (USB keys, personal music players, external hard drives, PDAs) Serial ports (PDAs, old communication devices) Parallel ports (Printers, old communication devices) FireWire (external hard drives, personal music players, PDAs) IrDA® (Infrared receivers, handheld portables, cell phones, cameras) CD-R/DVD-R (burning data on CDs or DVDs) Selective access control based on device classes, brand, and ID Extended features of Port Control allow an organization to adapt the security control policies to accommodate new devices or ports. Organizations can also discriminate between "good" and "bad" devices based on the devices classes, brand, and ID. This allows organizations to continue to use selective USB tokens or keys that are approved for use while excluding the use of other devices on that USB port.
The above was the question a commenter left after reading the zdnet story.
Hm. That's an interesting question.
As another commenter noted, probably because of the keyboard and the mouse: PS/2 ports are generally not found in modern computers, so the same port that is used to read and write to USB thumbdrives are also used for hooking up your input devices.
Of course, perhaps the real question is "why are people popping in their USB flash drives into a critical system?" And maybe the answer is, "because they can."
While encryption can't do much in the above situation, perhaps a security tool in AlertBoot's arsenal could be of help: Port control software.
Port control allows an administrator to specify which devices can communicate via the USB ports. For example, mice and keyboards generally don't pose a risk and are required to make use of critical systems like SCADA, so they're allowed. On the other hand, perhaps that's not the case with other USB-based devices (your iPod, for example, shouldn't really be connecting to a machine that regulates a power plant).
You can see how such an application would be invaluable for managing the security of critical systems. In fact, here's what our company's page on port control has to say:
AlertBoot Port Control prevents unauthorized use of serial, parallel and other ports and controls access to CD-R of DVD-R drives USB ports (USB keys, personal music players, external hard drives, PDAs) Serial ports (PDAs, old communication devices) Parallel ports (Printers, old communication devices) FireWire (external hard drives, personal music players, PDAs) IrDA® (Infrared receivers, handheld portables, cell phones, cameras) CD-R/DVD-R (burning data on CDs or DVDs) Selective access control based on device classes, brand, and ID Extended features of Port Control allow an organization to adapt the security control policies to accommodate new devices or ports. Organizations can also discriminate between "good" and "bad" devices based on the devices classes, brand, and ID. This allows organizations to continue to use selective USB tokens or keys that are approved for use while excluding the use of other devices on that USB port.
AlertBoot Port Control prevents unauthorized use of serial, parallel and other ports and controls access to CD-R of DVD-R drives
Selective access control based on device classes, brand, and ID
Extended features of Port Control allow an organization to adapt the security control policies to accommodate new devices or ports. Organizations can also discriminate between "good" and "bad" devices based on the devices classes, brand, and ID. This allows organizations to continue to use selective USB tokens or keys that are approved for use while excluding the use of other devices on that USB port.
Related Articles and Sites:http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/
Hospital volunteers and patients at Hong Kong's Queen Mary Hospital are at risk because of a computer data breach. Two desktop computers and an external hard disk were stolen, and it looks like drive encryption software was not used.
One of the stolen computers contained the information of 700 cancer patients and dozens of volunteers: Chinese and English names, ID card numbers, phone numbers, and addresses. ID card numbers across the world are regularly traded in the electronic underground market, since they can be used for bypassing on-line verification services. It's not apparent whether the thieves were after the data or not. Besides the computers and the hard disk, three computer monitors were also stolen. Seeing how this is a literal break-in--door locks were broken and there were other signs of forced entry--it could very well be that thieves just wanted to get their paws on anything of value. On the other hand, once you have such goods in your hands, it doesn't take much to run cheap software that looks for sensitive data. After all, if a thief steals a car, he'll probably go through the glove compartment and trunk as well, just to see what's in there. I don't see why it would be any different for a computer.
One of the stolen computers contained the information of 700 cancer patients and dozens of volunteers: Chinese and English names, ID card numbers, phone numbers, and addresses. ID card numbers across the world are regularly traded in the electronic underground market, since they can be used for bypassing on-line verification services.
It's not apparent whether the thieves were after the data or not. Besides the computers and the hard disk, three computer monitors were also stolen. Seeing how this is a literal break-in--door locks were broken and there were other signs of forced entry--it could very well be that thieves just wanted to get their paws on anything of value.
On the other hand, once you have such goods in your hands, it doesn't take much to run cheap software that looks for sensitive data. After all, if a thief steals a car, he'll probably go through the glove compartment and trunk as well, just to see what's in there. I don't see why it would be any different for a computer.
This is not the first time a hospital in Hong Kong had to announce the breach of patient data. About a month ago, two other HK hospitals announced a data breach, and I've also covered numerous cases of lost or stolen USB memory sticks and computer thefts in the past. Perhaps I shouldn't be, but I'm surprised when I hear that computers are not protected with encryption software when it comes to Hong Kong. If a data breach happens in the US, it's kind of understandable because the country is so large: one might not hear about a breach or what it can be done to contain it, etc. Hong Kong has something on the order of 6 million people and a land area about 5 times of Boston. In other words, it's a pretty small city but densely populated (fourth highest population density in the world, according to Wikipedia). I bet you can't help but overhear--two tables to the right, while you're ordering steamed dumplings--what medical illness a stranger's cousin caught. My guess is that most medical establishments know of the dangers of not having their machines adequately protected. Which in turn implies that a conscious decision was made not to use data encryption programs in this case. A shame, if this true. While hard disk encryption cannot prevent all types of data breaches, it is very useful for preventing those related to the physical theft of computers and other digital data storage devices.
This is not the first time a hospital in Hong Kong had to announce the breach of patient data. About a month ago, two other HK hospitals announced a data breach, and I've also covered numerous cases of lost or stolen USB memory sticks and computer thefts in the past.
Perhaps I shouldn't be, but I'm surprised when I hear that computers are not protected with encryption software when it comes to Hong Kong. If a data breach happens in the US, it's kind of understandable because the country is so large: one might not hear about a breach or what it can be done to contain it, etc.
Hong Kong has something on the order of 6 million people and a land area about 5 times of Boston. In other words, it's a pretty small city but densely populated (fourth highest population density in the world, according to Wikipedia). I bet you can't help but overhear--two tables to the right, while you're ordering steamed dumplings--what medical illness a stranger's cousin caught.
My guess is that most medical establishments know of the dangers of not having their machines adequately protected. Which in turn implies that a conscious decision was made not to use data encryption programs in this case.
A shame, if this true. While hard disk encryption cannot prevent all types of data breaches, it is very useful for preventing those related to the physical theft of computers and other digital data storage devices.
Related Articles and Sites:http://www.thestandard.com.hk/news_detail.asp?we_cat=4&art_id=101008&sid=29035889&con_type=1&d_str=20100727&fc=1http://www.phiprivacy.net/?p=3147
Thomas Jefferson University Hospitals (TJUH) has announced a medical data breach today. Approximately 21,000 patients are affected because a laptop was stolen from the hospital's premises. Disk encryption software was not used to safeguard the contents of the laptop.
On June 14 (the breach notice was posted on July 23, so a month after the original breach), a university hospital employee alerted security personnel that his personal laptop was stolen from an office. This personal laptop contained protected health information (PHI, or what patient information is called under HIPAA) for 21,000 people who received inpatient care at TJUH over a six-month period in 2008. The university forbids the storage of protected health information (PHI, or what patient information is called under HIPAA) on non-university issued computers, a policy that the employee didn't follow. The PHI included consists of names, dates of birth, gender, ethnicity, diagnosis, SSNs, insurance information, hospital account number, and other internal codes. The employee had turned on password-protection on his device; however, this is not considered to be adequate protection. (TJUH's security breach notice keeps emphasizing the lack of encryption software on the machine for a reason.)
On June 14 (the breach notice was posted on July 23, so a month after the original breach), a university hospital employee alerted security personnel that his personal laptop was stolen from an office. This personal laptop contained protected health information (PHI, or what patient information is called under HIPAA) for 21,000 people who received inpatient care at TJUH over a six-month period in 2008.
The university forbids the storage of protected health information (PHI, or what patient information is called under HIPAA) on non-university issued computers, a policy that the employee didn't follow.
The PHI included consists of names, dates of birth, gender, ethnicity, diagnosis, SSNs, insurance information, hospital account number, and other internal codes.
The employee had turned on password-protection on his device; however, this is not considered to be adequate protection. (TJUH's security breach notice keeps emphasizing the lack of encryption software on the machine for a reason.)
One thing I noticed about the breach notice's contents is that, while saving PHI to non-university devices is prohibited, it was never mentioned whether it was also forbidden to bring in and use a personal laptop in a hospital setting Personal machines being used in the workplace are a missed blessing. On the one hand, it could conceivably lower the hospital's own costs and increase productivity, since a new machine doesn't have to be issued to an employee and the employee doesn't require retraining on that new machine. I'm assuming, naturally, that one knows how to navigate one's own computer. I'm also reminded of an experience I had in grad school: I was dealing with an inordinate amount of information for a spreadsheet. I needed to create some graphs using this information and it took forever to graph them in the computer labs. In fact, some machines were underpowered to the point that they would hang up. I could either try to gain access to the computer science department's machines (not a CS major) or use a personal device. I chose the latter. If an employee is issued a dinosaur of a computer, it's not inconceivable that he would bring in his own device just to be a good trooper and finish his task. On the other hand, it does mean an increased risk of a data security breach for a number of reasons: The employees' machines may be infected with malware that now has access to the workplace's network, effectively invalidating the organization's firewalls; There's probably no automated backup for personal machines, meaning that there is a loss of work if a computer malfunctions; Troubleshooting, if extended to personal devices, would be nearly impossible with everyone's own configurations (one way to ease troubleshooting queries is to have everyone use the same machine); etc. Ultimately what it comes down to is: there is a lack of control. While ruling an organization's IT realm with an iron fist tends to work contrary to an organization's interests, keeping it loosey-goosey does so as well.
One thing I noticed about the breach notice's contents is that, while saving PHI to non-university devices is prohibited, it was never mentioned whether it was also forbidden to bring in and use a personal laptop in a hospital setting
Personal machines being used in the workplace are a missed blessing. On the one hand, it could conceivably lower the hospital's own costs and increase productivity, since a new machine doesn't have to be issued to an employee and the employee doesn't require retraining on that new machine. I'm assuming, naturally, that one knows how to navigate one's own computer.
I'm also reminded of an experience I had in grad school: I was dealing with an inordinate amount of information for a spreadsheet. I needed to create some graphs using this information and it took forever to graph them in the computer labs. In fact, some machines were underpowered to the point that they would hang up. I could either try to gain access to the computer science department's machines (not a CS major) or use a personal device. I chose the latter.
If an employee is issued a dinosaur of a computer, it's not inconceivable that he would bring in his own device just to be a good trooper and finish his task.
On the other hand, it does mean an increased risk of a data security breach for a number of reasons:
Ultimately what it comes down to is: there is a lack of control. While ruling an organization's IT realm with an iron fist tends to work contrary to an organization's interests, keeping it loosey-goosey does so as well.
Theft is not the underlying problem here. If one assumes that a TJUH computer had been stolen from the same office, it wouldn't have resulted in an information data breach because, as the hospital implies, all TJUH laptops are protected with an encryption solution such as something similar to AlertBoot managed encryption. (Plus, one's got to face up to reality that things will be stolen from any open environment like a hospital setting.) So, perhaps, having personal computers encrypted by the hospital would make sense? After all, if an organization is not going to frown on it, they should do the minimum to support it--at least, when it comes to data security.
Theft is not the underlying problem here. If one assumes that a TJUH computer had been stolen from the same office, it wouldn't have resulted in an information data breach because, as the hospital implies, all TJUH laptops are protected with an encryption solution such as something similar to AlertBoot managed encryption. (Plus, one's got to face up to reality that things will be stolen from any open environment like a hospital setting.)
So, perhaps, having personal computers encrypted by the hospital would make sense? After all, if an organization is not going to frown on it, they should do the minimum to support it--at least, when it comes to data security.
Related Articles and Sites:http://www.jeffersonhospital.org/Patients/data-security.aspxhttp://www.phiprivacy.net/?p=3138
The theft of a laptop from an employee's car has led the Iowa Department of Agriculture and Land Stewardship (IDALS) to announce a data breach. The laptop computer made use of data encryption software (something similar to hard disk encryption, probably). So they the announcement of a breach?
The breach affects Iowa residents that participated in the Iowa Horse and Dog Breeding Program. The laptop was stolen from an employee's car during a car break-in yesterday (July 22). The computer contained names, addresses, phone numbers, and Social Security numbers. It was stated that "the computer did have an encryption protection" but the department is encouraging that people sign up for ID fraud alerts and such.
The breach affects Iowa residents that participated in the Iowa Horse and Dog Breeding Program. The laptop was stolen from an employee's car during a car break-in yesterday (July 22). The computer contained names, addresses, phone numbers, and Social Security numbers.
It was stated that "the computer did have an encryption protection" but the department is encouraging that people sign up for ID fraud alerts and such.
Iowa passed a data breach notification law around 2008. Losing a person's first and last name, along with the SSN, are grounds for sending out notification letters. Unless encryption software is used, that is. If encryption was used to protect the information, safe harbor is granted from going public. There is, however, a provision in there that requires a breach notification if there is an elevated risk to those involved in the breach. Could it mean that the machine was encrypted, but the password for accessing the device was also present? For example, perhaps taped to the laptop, or maybe jotted down on a notebook (the laptop case was stolen, too...those have space for a notebook). Or perhaps, instead of using full laptop encryption solution, the department had only used file encryption? If so, there could be a risk since it can't be guaranteed that unprotected, sensitive files do not exist on that laptop. Or maybe the department is just being overly cautious. On the face of it, though, I must remark that this particular breach doesn't seem like one where a breach notification is necessary. As it stands, it seems like a whole lot of fear mongering.
Iowa passed a data breach notification law around 2008. Losing a person's first and last name, along with the SSN, are grounds for sending out notification letters. Unless encryption software is used, that is. If encryption was used to protect the information, safe harbor is granted from going public.
There is, however, a provision in there that requires a breach notification if there is an elevated risk to those involved in the breach.
Could it mean that the machine was encrypted, but the password for accessing the device was also present? For example, perhaps taped to the laptop, or maybe jotted down on a notebook (the laptop case was stolen, too...those have space for a notebook).
Or perhaps, instead of using full laptop encryption solution, the department had only used file encryption? If so, there could be a risk since it can't be guaranteed that unprotected, sensitive files do not exist on that laptop.
Or maybe the department is just being overly cautious.
On the face of it, though, I must remark that this particular breach doesn't seem like one where a breach notification is necessary. As it stands, it seems like a whole lot of fear mongering.
Related Articles and Sites:http://www.agriculture.state.ia.us/press/2010Press/press07222010b.asphttp://blogs.desmoinesregister.com/dmr/index.php/2010/07/22/theft-compromises-iowa-ag-department-program/http://www.omaha.com/article/20100722/NEWS01/707239899http://www.siouxcityjournal.com/news/state-and-regional/iowa/article_e50f9326-95e4-11df-95ed-001cc4c03286.html