The New Hampshire Technical Institute has filed a letter with the New Hampshire AG due to a potential data breach. According to the NHTI, a flash drive with information on students was lost on or around April 23. There is no mention whether full disk encryption was used on the drive; based on their subsequent actions, though, it seems quite unlikely.
The lost information includes students’ names, Social Security numbers, addresses, phone numbers, and e-mail addresses of 2006 and 2007 graduates of NHTI’s nursing program. The letter ended with the President apologizing for the incident and saying that they “are taking steps to prevent this type of breach from occurring again.”
The question is, what type of breach are they talking about here? They keep referring to a “security breach” in the letter to the attorney general, but it seems to me that they’re using the term for both physical security as well as information security. And while usually one begets the other, information saved in digital format allows one to go beyond this conventional way of thinking when it comes to security.
Digital data can be protected using encryption. This means that even if one ends up losing the device on which the data is stored, the data itself can be protected from an actual data breach. In other words, breaching physical security doesn’t necessarily mean that one will have a subsequent information breach as well.
Of course, encryption is not something that was specifically created for the digital realm. Cryptography is an old art—even Julius Caesar used it to communicate with his generals (granted, it was an easily‑breakable one but extremely effective at the time). And in Victorian England, lovers would send each other messages via the personals sections in newspapers—in encrypted form, of course. However, the times being what they were, messages were written on paper, and encryption was done manually. “Don’t attack yet” and “my heart pines for thee” is not a problem when encrypting messages by hand. Encrypting pages of information by hand? I’ve tried, and I can tell you I’d prefer to hire a burly guy with 17 black belts in all manners of martial arts to stand guard over the original, unencrypted document.
In the digital era, however, the biggest factor that made encryption virtually worthless for massive information security (i.e., the time and power needed to protect pages upon pages of data...and later decrypting them when necessary) is overcome with the use of computers. Instead of a person encrypting and decrypting information, one can have a computer take over the job. And this is why today the bonds between physical and information security can be broken: even if a laptop computer is stolen, whole disk encryption, a solution provided by AlertBoot among other companies, would ensure that the information is kept secure.