A little over two years ago, a laptop computer belonging to the Connecticut Department of Revenue Services (DRS) was stolen. It did not use hard drive encryption software like AlertBoot to protect its contents and led to the breach of personal information for 106,000 people. An investigation was started since making the breach public, and little known details were revealed, such as, The laptop was stolen from a parked vehicle The person who took the laptop had gotten authorization to do so That same person was on vacation (why take a work laptop, then?) When stuff like the above are taken into consideration, it makes one wonder whether the lack of security (keeping a laptop in a car and not using disk encryption) was systemic and endemic. On the other hand, an employee--about to leave on vacation--asking whether a work laptop can be taken seems to counter the assumption that security was not a factor to consider at the DRS. Most people would probably just take them without a second thought.
A little over two years ago, a laptop computer belonging to the Connecticut Department of Revenue Services (DRS) was stolen. It did not use hard drive encryption software like AlertBoot to protect its contents and led to the breach of personal information for 106,000 people.
An investigation was started since making the breach public, and little known details were revealed, such as,
When stuff like the above are taken into consideration, it makes one wonder whether the lack of security (keeping a laptop in a car and not using disk encryption) was systemic and endemic. On the other hand, an employee--about to leave on vacation--asking whether a work laptop can be taken seems to counter the assumption that security was not a factor to consider at the DRS. Most people would probably just take them without a second thought.
What prompted me to revisit this case was an opinion piece at the New Haven Register. It looks like the lack of security was systemic and endemic. As part of their review of lapses in the security of tax records, [Attorney General] Blumenthal and the auditors found that any Department of Revenue Services employee with computer network access could not only read taxpayer records, but make alterations in them. There was no reliable way of tracing who accessed the records. This breakdown in taxpayer confidentially was potentially far more serious than the theft of the laptop The guy who asked for permission to take his laptop sounds like the most security-minded person in the world when contrasted to the above.
What prompted me to revisit this case was an opinion piece at the New Haven Register. It looks like the lack of security was systemic and endemic.
As part of their review of lapses in the security of tax records, [Attorney General] Blumenthal and the auditors found that any Department of Revenue Services employee with computer network access could not only read taxpayer records, but make alterations in them. There was no reliable way of tracing who accessed the records. This breakdown in taxpayer confidentially was potentially far more serious than the theft of the laptop
The guy who asked for permission to take his laptop sounds like the most security-minded person in the world when contrasted to the above.
The costs related to the breach actually went over $1 million. It was already assumed at the beginning that providing identity theft protection would reach the $1 million figure, but it looks like the additional need for security implementation pushed the figure over. The implementation of new security is something that most people don't factor into the cost of a data breach. Although, it makes sense to do so. After all, an organization cannot afford to experience the same breaches over and over; furthermore, it wouldn’t have thought to implement them prior to the breach. On the other hand, if the same organization had implemented the same, it wouldn't have experienced a breach to begin with, saving them seven figures. The case could be pictured as one where a million buckaroos were spent unnecessarily because a guy decided to take his work laptop to a hockey game. It would be, perhaps, more accurate to picture it as a situation where a million bucks were spent because an organization wouldn't spent a fraction of that on the correct information security tools like encryption software for computers and data monitoring.
The costs related to the breach actually went over $1 million. It was already assumed at the beginning that providing identity theft protection would reach the $1 million figure, but it looks like the additional need for security implementation pushed the figure over.
The implementation of new security is something that most people don't factor into the cost of a data breach. Although, it makes sense to do so. After all, an organization cannot afford to experience the same breaches over and over; furthermore, it wouldn’t have thought to implement them prior to the breach.
On the other hand, if the same organization had implemented the same, it wouldn't have experienced a breach to begin with, saving them seven figures.
The case could be pictured as one where a million buckaroos were spent unnecessarily because a guy decided to take his work laptop to a hockey game. It would be, perhaps, more accurate to picture it as a situation where a million bucks were spent because an organization wouldn't spent a fraction of that on the correct information security tools like encryption software for computers and data monitoring.
Related Articles and Sites:http://www.alertboot.com/blog/blogs/endpoint_security/archive/2007/09/06/government-agency-uses-more-laptops-requires-mobile-data-protection.aspxhttp://www.nhregister.com/articles/2009/11/03/opinion/doc4aefbbb5eb9e3472495838.txt