According to the Post-Tribune, FEMA has lost another laptop computer, and it looks this one did not have the contents secured via the use of disk encryption software like AlertBoot endpoint security. (The one thing about FEMA is that they never mention whether something is encrypted or not, but always make note of password-protection, if it was in place to begin with. I tend to read a lot into that.)
The laptop was stolen from a housing inspector's car. Sensitive information breached in this case included names, SSNs, dates of birth, and phone numbers of last year's flood victims who applied for assistance. The number of potentially affected victims is approximately 50 people.
Most notable about this case is that the theft occurred in early November 2008, but affected people are being notified only now, four months later. As FEMA noted, it takes time to find out who's affected and line up the correct assistance. And, the founder of ID Theft Resource Center seemed to concur, noting that "it may have taken that long to reconstruct the data base so as not to tip anyone off," according to a quote on the Post-Tribune.
Databreaches.net, a site that keeps track of data breaches, however, disagrees. It correctly notes that another FEMA laptop theft, in July 2008, took less than two weeks to arrange for credit monitoring and to contact everyone, and affected more people. And with 90 names, there were about twice the number of people...although, in the grand scheme of things, I'd say there isn't much difference between 50 and 90 people.
And that's probably the point. Why the disparate response times when the situations are so similar? And more importantly, why not have laptops encrypted when so many have gone missing prior to the November breach?
The answer to that last question is most probably because of the environment FEMA operates in. The deployment of encryption across an organization where all employees work within the same building is not particularly easy. Now imagine how much harder it would be to do the same when your workforce is constantly on the move.
On top of that, there's the outside help. FEMA is a pretty small organization. With less than 7000 employees covering all of the US, and with the need for highly specialized knowledge and management skills, they rely on outside contractors and personnel when providing aid.
I mean, it's not as if FEMA directly employs battalions of doctors and nurses to take care of emergencies (they'd be doing nothing half of the time, I'd bet. There are emergencies, and then there are FEMA emergencies)...and my guess is they don't have housing inspectors on staff, either.
Extending--even forcing--encryption to third party companies is almost impossible, and with FEMA taking responsibility for outsider blunders...well, that's what economists call a moral hazard, no? Someone else loses the laptop, FEMA arranges for the credit check protection.
On the other hand, "it's difficult" is rarely the correct response when it comes to security. I mean, you don't see cities cutting down on the police force because it's difficult to keep crime in check. If anything, the opposite is true.
Related Articles:http://www.post-trib.com/news/1463758,fema-lost-laptop-0306.article