The Virginia Department of Education has announced the loss of a 2-gigabyte flashdrive that contained the personal information of 103,000 former adult education students. The device did not use disk encryption software like AlertBoot to protect its contents. The personal information, according to the washingtonpost.com, included SSNs, names, employment, and demographic information for those who: Finished an adult education course between April 2007 and June 2009, inclusive, or Passed a high school equivalency test between January 2001 and June 2009
The Virginia Department of Education has announced the loss of a 2-gigabyte flashdrive that contained the personal information of 103,000 former adult education students. The device did not use disk encryption software like AlertBoot to protect its contents.
The personal information, according to the washingtonpost.com, included SSNs, names, employment, and demographic information for those who:
As the story goes, an employee working for the VA Dept. of Education copied the information to a flashdrive and handed it over to a representative of the Virginia Tech's Center for Assessment, Evaluation, and Educational Programming. (That's a mouthful.) The VT representative reported it missing the next day.
The incident raises a number of questions, such as, why were SSNs included? The information was to be used for "federally mandated research." Certainly SSNs and names were not deemed needed for such research? On the surface, it looks like the information was to be used to improve educational programs. I don't see how personal information would factor in such improvements. Why was neither the file nor the flash drive encrypted? It's against the policy of the VA education department to transfer sensitive information in unencrypted format. This seems to imply that the employee that copied the data had access to encryption software to protect the data; why was it not used? Furthermore, an entire flash drive was handed over, from one agency to another. I imagine it was a flash drive that belonged to the Dept. of Education. Why weren't they using encrypted flash drives? In hindsight, it may have been a better alternative to requiring an employee to encrypt sensitive data as needed, which tends to be less successful when it comes to data security. Indeed, what they should have done--assuming the flashdrive was used because the files were too big to be e-mailed securely--is to copy the files to the encrypted drive, and to separately e-mail the passcodes to access the device. They could have done the reverse, e-mailing an encrypted file and forking over the passcodes once they've met, if attachment size was not an issue. This way, there is no worry that an encrypted drive is lost along with the username and password for accessing the protected data.
The incident raises a number of questions, such as, why were SSNs included? The information was to be used for "federally mandated research." Certainly SSNs and names were not deemed needed for such research? On the surface, it looks like the information was to be used to improve educational programs. I don't see how personal information would factor in such improvements.
Why was neither the file nor the flash drive encrypted? It's against the policy of the VA education department to transfer sensitive information in unencrypted format. This seems to imply that the employee that copied the data had access to encryption software to protect the data; why was it not used?
Furthermore, an entire flash drive was handed over, from one agency to another. I imagine it was a flash drive that belonged to the Dept. of Education. Why weren't they using encrypted flash drives? In hindsight, it may have been a better alternative to requiring an employee to encrypt sensitive data as needed, which tends to be less successful when it comes to data security.
Indeed, what they should have done--assuming the flashdrive was used because the files were too big to be e-mailed securely--is to copy the files to the encrypted drive, and to separately e-mail the passcodes to access the device. They could have done the reverse, e-mailing an encrypted file and forking over the passcodes once they've met, if attachment size was not an issue.
This way, there is no worry that an encrypted drive is lost along with the username and password for accessing the protected data.
Related Articles and Sites:http://www.washingtonpost.com/wp-dyn/content/article/2009/10/14/AR2009101402118.htmlhttp://datalossdb.org/incidents/2387-names-social-security-numbers-and-demographic-information-of-over-103-000-on-lost-flash-drive