Williams College, in Williamstown, Massachusetts has alerted the NH Attorney General about a recent computer theft. It was not mentioned whether the stolen computer had hard disk encryption installed to protect its contents, a move that would have been highly appreciated by the 750 affected, I'm certain.
The data breach was triggered when a laptop computer was stolen from a Williams College vehicle. The computer contained the SSNs and names of approximately 750 individuals from 39 different US states as well as several countries. The break-in occurred on October 3, Williams College officials notified on the 5th, and affected students (and alumni?) notified later that month. The reason for the delay? The college had to find out who was affected by the breach. The computer that was stolen was a new one, so an analysis of the replaced computer was done to see what files were copied over, and the user of the computer was also interviewed to see what other files may have been saved to the device. The site databreaches.net has noted that the breach notification letter to the affected does not describe how the breach occurred, although the letter to the NH AG does mention it. According to that site, this is further justification for a law that would force entities to make this information public to all.
The data breach was triggered when a laptop computer was stolen from a Williams College vehicle. The computer contained the SSNs and names of approximately 750 individuals from 39 different US states as well as several countries.
The break-in occurred on October 3, Williams College officials notified on the 5th, and affected students (and alumni?) notified later that month.
The reason for the delay? The college had to find out who was affected by the breach. The computer that was stolen was a new one, so an analysis of the replaced computer was done to see what files were copied over, and the user of the computer was also interviewed to see what other files may have been saved to the device.
The site databreaches.net has noted that the breach notification letter to the affected does not describe how the breach occurred, although the letter to the NH AG does mention it. According to that site, this is further justification for a law that would force entities to make this information public to all.
Call it luck if you will, but Williams College is lucky that they had this breach when they did. Had Massachusetts not postponed the date when the state data encryption laws would kick in, the college would be in some serious trouble. According to the soon-to-be effective law (the compliance date was extended to January 1, 2010 from much earlier in the year), name and SSN combos must be protected via encryption. Not complying means fines, possibly actions by the Attorney General. What should have Williams College have done? Well, simply put, that new computer that was stolen should have been encrypted before any data was copied over. That sounds weird, since, if there's nothing on the laptop, there's nothing to encrypt, either. However, that's what full disk encryption software like AlertBoot does. It encrypts a computer's hard drive, and anything that's copied to that computer is encrypted as well (copy the file off the computer, and it's not encrypted anymore). It differs from file encryption where an individual file is protected. And, in this latter case, the file would always remain encrypted no matter where you send it to or copy it to. An additional benefit of using encryption software to protect the names and SSNs may have been the safe harbor from sending notification letters. New Hampshire is not such a state, but plenty of states have passed laws where, if the personal information was encrypted prior to being stolen, the "affected" do not need to be notified (mainly because encryption will prevent the "affected" from being affected--the danger of becoming a victim is virtually nil.)
Call it luck if you will, but Williams College is lucky that they had this breach when they did. Had Massachusetts not postponed the date when the state data encryption laws would kick in, the college would be in some serious trouble.
According to the soon-to-be effective law (the compliance date was extended to January 1, 2010 from much earlier in the year), name and SSN combos must be protected via encryption. Not complying means fines, possibly actions by the Attorney General.
What should have Williams College have done? Well, simply put, that new computer that was stolen should have been encrypted before any data was copied over. That sounds weird, since, if there's nothing on the laptop, there's nothing to encrypt, either.
However, that's what full disk encryption software like AlertBoot does. It encrypts a computer's hard drive, and anything that's copied to that computer is encrypted as well (copy the file off the computer, and it's not encrypted anymore). It differs from file encryption where an individual file is protected. And, in this latter case, the file would always remain encrypted no matter where you send it to or copy it to.
An additional benefit of using encryption software to protect the names and SSNs may have been the safe harbor from sending notification letters. New Hampshire is not such a state, but plenty of states have passed laws where, if the personal information was encrypted prior to being stolen, the "affected" do not need to be notified (mainly because encryption will prevent the "affected" from being affected--the danger of becoming a victim is virtually nil.)
Related Articles and Sites:http://doj.nh.gov/consumer/pdf/williams_college.pdfhttp://www.databreaches.net/?p=8107