in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

July 2009 - Posts

  • South Carolina Personal Information Data Privacy Notification And Encryption Laws: § 39-1-90

    South Carolina has joined the ranks of U.S. states that require companies and other entities to alert residents of a data breach involving personally identifying information.  The law went into effect earlier this month, on July 1, 2009.

    Like many such laws based on the original California law, the South Carolina data breach law provides safe harbor when data is lost or stolen; however, this protection kicks in only if data protection measures, like encryption software, such as from AlertBoot endpoint security, is used to secure the data.  In other words,  no encryption = no legal protection.

    You'll want to consult with your legal advisor, as I'm far removed from the legal profession, but here are the major points covered by the law.

    What Is Personal Identifying Information Under South Carolina Law?

    Under Section 16-13-510 of the South Carolina legislature, "personal identifying information" is composed of the first name or its initial; the last name; and one or more of the following:

    • Social Security number;
    • Driver's license number or state identification card number issued instead of a driver's license;
    • Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or
    • Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.

    The four points above are lifted directly from S.C.'s on-line legislature site.  I should remark that, as noted in the same section, the above definition only holds when elements are "neither encrypted nor redacted."  This leaves us in a weird situation where, for example, if you encrypt someone's full name and SSN, it stops becoming personal identifying information.

    Which makes sense, in a way: If it's encrypted, the information is scrambled up, so it can't be identifying anyone anymore.  (Or, I guess, it's a roundabout way of saying that you're legally protected if you encrypt sensitive information.)

    Penalties For Violating South Carolina's Data Privacy Law

    So, let's say that a company decides "to heck with it, we're not notifying people."  What kind of damages are we looking at here?  Well, it's kind of complicated.

    Under Section 39-1-90 H, one faces a fine of $1,000 per resident affected by the breach.  Lose a USB disk with 50 names and SSNs, and you're looking at a $50,000 fine.

    But, that section is slightly confusing...

    A person who knowingly and wilfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs. [my emphasis]

    "The amount to be decided?" What "the amount to be decided?"  The previous portion clearly states that it's $1,000 per resident.  Does the Department of Consumer Affairs have the ability to cap the fine (say, no more than $10,000)?  Also, that's not the end of it.
     
    Under Section 39-1-90 G, any South Carolina resident is allowed to do the following:

    • Institute a civil action to recover damages in case of a wilful and knowing violation;
    • Institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section;
    • Seek an injunction to enforce compliance; and
    • Recover attorney's fees and court costs, if successful.

    This is in addition to any other rights S.C. residents may have.

    If you don't speak lawyer-ese, I believe that to "institute a civil action" refers to a civilian filing a lawsuit in court.

    An "injunction" is fancy-speak for a court order that stops someone from doing something; I guess in the above, it means that one can sue a company to stop not notifying people?  Which in turn means that they have to start notifying people of a breach?  Yeah, I don't get it either; consult with a lawyer.  (It probably means you have the power to force companies to correct any ills.)

    Obviously, a company's going to have to shell out money to defend itself.

    Taking the above into consideration, using disk encryption programs on laptops is beginning to look like a cost-effective alternative.  And if you decide not to use it, then at least don't try to hide a breach...it just can't end well.

    Notification for South Carolina Data Breaches

    OK, so the above section on penalties scared you straight into alerting residents of a data breach.  How do you do it?  You have a choice of:

    • Written notice
    • Electronic notice, but only if that's the primary method of communication (for example, a company like Yahoo! only gets in touch with me via e-mail.)
    • Telephonic notice (slightly expensive if a lot of people have been affected by a breach)

    Also, a substitute notice can be used, if:

    • Cost of providing notice exceeds $250,000; or,
    • Residents to be notified exceeds five hundred thousand; or,
    • There is insufficient contact information for direct contact

    Substitute notice can consist of e-mail (I guess even if it wasn't the primary method of communication), conspicuous posting of the notice on the company web site page, or alerting major statewide media.

    Finally, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies must be notified as well if more than one thousand people are affected.

    As far as I can tell, there is no word on what must be included in the notification letter (some states, for example, specify that the date of the breach, where it happened, etc. must be included).

    Related Articles and Sites:
    http://www.scstatehouse.gov/code/t39c001.htm

     
  • Data Encryption On Broomfield Laptop Is Too Little, Too Late? I...Disagree

    Broomfield Hospital in the UK has alerted 2,000 patients that their confidential information was saved on a laptop computer that was stolen.  The good news is that full disk encryption, similar to what AlertBoot offers, was used to secure the contents.  The bad news?  I don't think people involved understand what encryption is and what it can do.

    Too Little, Too Late?  Really?

    According to chelmsfordweeklynews.co.uk, when informed of the theft, Michael Summers at the Patients' Association claimed it was "too little, too late...[adding] it is a real worry for patients and it is happening on a regular basis. I am very concerned. The NHS has not managed to secure patients’ records."

    Uh, what?  Too little, too late?  Let me tell you what's too little, too late: it's those companies and agencies out there that start their encryption process after sensitive data gets stolen because they assume that their physical security is foolproof...until events prove otherwise.  It appears that Mr. Summers is making the same assumption, that physical security can be absolute.

    And yet, we only have to refer back to history (modern or otherwise) to see that physical security is always a little lacking.

    I'd say the hospital did itself and its patients a huge service by going ahead and encrypting their computers, as required by the data protection laws in the UK.  Despite the fact that the laptop is missing, chances are the patient data on it will not be accessed.

    Further proof that that hospital knows what it's doing: none of the data is missing, since it was backed up to a computer.  A secure one.

    How Does Encryption Software Help?

    Encryption software works by scrambling data.  In order to unscramble it--so it makes sense to people--the correct password is required.  Despite the simple explanation, cracking encryption is not a simple process.

    It's why government agencies across the world use encryption to secure their communications.  And, what's good enough to secure sensitive top secret and classified information should be more than adequate at protecting something like patient data.

    I certainly don't mean to imply that such data is trivial.  On the other hand, revealing to the world that I've got, say, Hep A doesn't put the world at the brink of war.  So, if encryption can prevent city-states from pointing missiles at each other, well, it certainly can protect people's medical conditions from being revealed.

    Related Articles and Sites:
    http://www.chelmsfordweeklynews.co.uk/news/localnews/4520048.2_000_hospital_patients__records_stolen/

     
  • Data Encryption Software For Third Party: Fayetteville School District Staff Experience ID Fraud

    Databreaches.net has linked to a story of how staff members at the Fayetteville School District in Arkansas have fallen victim to ID theft--and nobody knows how (at least not yet).  The one commonality among all victims is that they're registered with a company that provides health and dental insurance.  Looks like an outside breach, which, depending on the situation, could have been prevented with the use of hard drive encryption software.

    Was Third Party The Source of The Data Breach?

    So far, 30 teachers, librarians, and counselors were targeted, with one of them having received a bill for $4,000.  Apart from the fact that they were being served by the same insurance company, all victims have last names that fall between the letters A and G.

    We shouldn't yet assume the insurance company as the source of the breach.  One has to ask, "how many people that work for the Fayetteville School District, whose last names start from A though G, and are being served by the insurance company, are not victims?"

    And, if there's plenty of non-victims, is it because the criminals haven't had a chance to defraud everyone?  Or is because it happens to be a huge coincidence (the ties to the insurance company, I mean)?

    Similarly, it could be that the "A through G" pattern stands out because the criminals have decided to commit fraud on an alphabetical basis, and haven't reached beyond "G" yet.  Or, it could be that they managed to gain a partial list only.

    Preventing Third Party Data Breaches

    On the other hand, I wouldn't be surprised if the above were indeed due to the theft or loss of a laptop or external hard drive by a third party.  It happens quite often.  The GAP, for example, experienced a third party data breach about two years ago that affected 800,000 job applicants.

    How can one prevent third party data breaches? Short, blunt answer: you can't.  However, a company could state in contracts that third parties must use data protection software like full disk encryption on all of their company laptops.  This way, if something untoward happens, the data is protected.

    However, that company must also follow up to ensure the terms of the contract are being kept by the third parties.  Performing an encryption audit, for example, is required.  The GAP had encryption on laptop computers stated as a contractual term, but...well, we know how that turned out.

    Related Articles and Sites:
    http://www.databreaches.net/?p=6467
    http://www.4029tv.com/news/20208300/detail.html
    http://www.wreg.com/sns-ap-ar--arkteachers-idtheft,0,493369.story

     
  • Email Protection: McAfee Has Small (But Ironic) Data Breach Via Email Attachment

    Networkworld.com is reporting that McAfee has had a small data breach of sorts.  It's ironic on so many levels because McAfee is a data security company; they market a solution for e-mail security; and the people involved in the breach were attendees of a security conference.

    The lost information is, well, quite personal on some levels, but not exactly the type of data I'd feel requires the use of data encryption like AlertBoot.

    Personal Details

    According to the story, an attachment that contained the information of all 1,408 people was included in a thank-you e-mail sent to conference attendees.  The information included "names, numbers (telephone numbers?), e-mail addresses, employment details, and...dietary requirements."

    Not exactly scandalous.  I mean, so 1,407 people might now know that another guy is lactose intolerant, or needs a kosher meal, or requires that only blue M&Ms be served because he's a rock-star-turned-security-guru.

    Meh.  Worse things have happened; although, I must admit McAfee does have a slightly embarrassing situation.  It'll blow over, though. (Unless it mushrooms into something bigger such as, say, McAfee filing a lawsuit against the guy who "leaked" this information.  Now that would be scandalous.)

    Layered Security Has Its Limits, Too

    That being said, the above is also indicative of why one needs to approach data security in a layered manner.  Many people deploy some kind--any kind--of data security solution and then expect to be "secure."  This is like expecting a contract with ADT will prevent one from experiencing break-ins, so locking doors and shutting windows is neglected.  That's no way to approach security--data or otherwise.

    But, in the above case, even if McAfee had all the correct security software in place, it probably wouldn't have caught the data breach.  Why?

    Because the above information is not that critical.  Nobody (OK, almost nobody) creates a data security policy based on the fact that e-mail addresses and phone numbers exist on a spreadsheet.  This stuff gets exchanged all the time--heck, most of the time, and that's the intention.

    If you do create a data security policy flagging attachments with e-mail addresses and numbers, though--in order to prevent a similar McAfee e-mail snafu--you're going to generate false positives (stopping e-mails with attachments that are supposed to have those attachments) more than anything else.

    About the only way to prevent McAfee's data-peccadillo from happening is to have people pay attention to what they're doing...you can't package and sell that, unfortunately, which is the ultimate reason why you can't have 100% data security.

    Related Articles and Sites:
    http://www.networkworld.com/news/2009/072909-security-vendor-mcafee-spills-1400.html

     
  • Hard Drive Encryption: University of Colorado Professor Laptop Stolen From Home

    On July 5, a faculty member at the University of Colorado at Colorado Springs had a home burglary which resulted in the theft of two laptops, one of which contained the information of 766 students.  It hasn't been revealed so far if the information was protected via the use of laptop encryption software.

    The information included grades, names, and--for 241 students--their Social Security numbers.  The data breach affects students who studied at the UCCS between 2003 and 2009.

    It was noted in the embedded video at kttv.com that the university stopped using SSNs as student ID numbers back in 2005, which probably accounts for the low number of SSNs in light of the total number of students affected.

    This brings to light two interesting questions:

    1. Why did the faculty member have in his laptop SSNs from 4 years ago?  If the UCCS did everything correctly, it shouldn't have been there.  Unless, of course, students who enrolled at the university in 2005 still were using their SSNs as student IDs.  If that were the case, then they would have graduated this year on a four-year program...
    2. This professor has been using the same laptop for six years?  Makes me wonder what he teaches.  Chances are it's not related to computers...

    What If Encryption Software Had Been Used?

    Already, there are people commenting on how the information should have been on secure servers only.  In fact, I've read a comment that states that the information should have been on "secure, non-portable servers."

    I'm not sure what that means because, the last time I checked, any computer of any size can be stolen.  In a sense, they're all portable (easily carried vs. movable/"carriable").  If you want something that's not portable, you'd have to go back to 1970 when a "computer" was essentially a wired room; i.e., the room is the computer.  Nobody wants that.  A better solution may have been the use of whole disk encryption.  This would have ensured the integrity of the data.

    It's very hard to blame the professor here.  I mean, he didn't have a laptop stolen from his pickup truck while he was playing a round of golf.  The computer was stolen during a break-in.  For all intents and purposes, the information on that computer was probably as well protected as it would have been in a locked room on campus.

    People don't actually think that campus buildings are always better protected than residential homes, do they?  Here's proof that they aren't: thieves steal a mainframe computer (as close as it gets to non-portable computers) from a university campus (http://www.dallasnews.com/sharedcontent/APStories/stories/D99E9O001.html).

    Related Articles and Sites:
    http://www.kktv.com/news/headlines/51897687.html
    http://www.krdo.com/Global/story.asp?S=10803897
    http://www.thedenverchannel.com/news/20202794/detail.html

     
  • Laptop Encryption Software: Colorado City Engineer Computer Stolen While Golfing

    Employees for the city of Brighton, Colorado are being alerted about a laptop and USB disk theft that could compromise their bank account numbers, Social Security numbers, and addresses.  The theft occurred when someone broke into the city's lead IT engineer's truck while he played a round of golf at a charity tournament.  And while it was revealed that data encryption software was used on the missing laptop, the city's being mum on what type of data security was in place for the USB disk, if at all.

    Encryption Not A Cure-All For Lack Of Common Sense

    The use of full disk encryption for laptops and external portable disks pretty much ensures that access to data by unauthorized people will be prevented in the event of theft.  This is, of course, assuming that a) the owner/user of the laptop didn't leave a copy of the password attached to the laptop and that b) strong encryption was used.

    Seeing how in the above case the laptop belonged to the city's lead IT engineer, I'd like to assume that the above two conditions were met.  And I'll assume they were--indeed, the mere presence of encryption software strongly suggests that someone gave some thought to the idea of data security. (Why this was not extended to the USB disk, I don't know.)

    And, if strong encryption was used, then the contents are safe.  Some will claim that encryption can be broken by people who know what they're doing; however, people with those kinds of skills tend to work for legal entities, such as the NSA.  After all, why run the risk of going to prison when you can have a stable job doing the same thing, and send other people to prison?

    So, I'd feel pretty secure if it was my information on the laptop (not so much if it were on the USB disk).

    On the other hand, I'm not too crazy about the circumstances under which the thing was stolen.

    He arrived at the golf club around 11:30 a.m.  My guess is the actual charity tournament started around noon.  If ESPN is any indication, it means that it's gonna take this guy around four hours to finish up, plus he may have assorted after-charity events to attend to.  (Indeed, he didn't make it back to his vehicle until 7:30 p.m., and that's when he found his truck was broken into.)

    In other words, he's not going to work today.  So, why carry around a work laptop?  If you know you're not going to use it, don't carry it around.  Especially if you've got sensitive files on it, for goodness sake!  I mean, the data may be protected, but that's no reason to subject a computer to a higher probability of getting stolen.

    Related Articles and Sites:
    http://www.thedenverchannel.com/news/20173880/detail.html

     
More Posts Next page »