Here's another story that shows how drive encryption software could have prevented a data breach. Current and former students at the Bloomsburg University of Pennsylvania are being notified of a data breach. The breach affects only students who took psychology classes taught by professor Julie Kontos, from spring 2004 through the summer of 2006.
Here's another story that shows how drive encryption software could have prevented a data breach. Current and former students at the Bloomsburg University of Pennsylvania are being notified of a data breach.
The breach affects only students who took psychology classes taught by professor Julie Kontos, from spring 2004 through the summer of 2006.
The data breach occurred when several computers and digital devices were stolen from an office at Centennial Hall. One of the computers belonged to the psychology department and was used by Kontos. On the computer were files with students' grades and SSNs (and, I assume, names as well). While the university stopped using SSNs as student ID numbers back in 2006--an excellent move when it comes to data security--it's of limited efficacy with the records going back to 2004. A total of 574 students are being notified of the incident.
The data breach occurred when several computers and digital devices were stolen from an office at Centennial Hall. One of the computers belonged to the psychology department and was used by Kontos.
On the computer were files with students' grades and SSNs (and, I assume, names as well). While the university stopped using SSNs as student ID numbers back in 2006--an excellent move when it comes to data security--it's of limited efficacy with the records going back to 2004.
A total of 574 students are being notified of the incident.
While one could argue that the breach could have been prevented (via the use of data security products like full disk encryption such as AlertBoot endpoint security software), I think I detect hints that BU's probably practicing good data security. Their response is pretty stellar when you think about it. Granted, not having a data breach would have been even more stellar, but consider their actions: the use of SSNs as IDs was discontinued. They obviously engage in good data redaction and/or control; otherwise, the other stolen laptops would have led to breaches as well. Also quite obvious, they keep good backups--the only way they could have determined that 574 students were affected. Also, the theft occurred on Nov. 1. By Nov. 4, they knew student SSNs were part of the contents. Today, Nov. 12, the breach was made public and people are being notified. It took eleven days from breach to notification. Compare this to BlueCross BlueShield, which is currently being investigated by the Connecticut AG because the HMO took 2 months to do the same. (And, I should note, the fact they're being investigated is newsworthy as well...over the past three years or so, plenty of companies have taken 2 months or longer to notify the affected. The only ill-effect? The affected complained about the delay...)
While one could argue that the breach could have been prevented (via the use of data security products like full disk encryption such as AlertBoot endpoint security software), I think I detect hints that BU's probably practicing good data security. Their response is pretty stellar when you think about it.
Granted, not having a data breach would have been even more stellar, but consider their actions: the use of SSNs as IDs was discontinued. They obviously engage in good data redaction and/or control; otherwise, the other stolen laptops would have led to breaches as well. Also quite obvious, they keep good backups--the only way they could have determined that 574 students were affected.
Also, the theft occurred on Nov. 1. By Nov. 4, they knew student SSNs were part of the contents. Today, Nov. 12, the breach was made public and people are being notified. It took eleven days from breach to notification.
Compare this to BlueCross BlueShield, which is currently being investigated by the Connecticut AG because the HMO took 2 months to do the same. (And, I should note, the fact they're being investigated is newsworthy as well...over the past three years or so, plenty of companies have taken 2 months or longer to notify the affected. The only ill-effect? The affected complained about the delay...)
Pennsylvania is one of the many states in the US that allow an exemption of publicizing data breaches if the data was encrypted. (There is an exemption to the exemption as well: if the encryption keys were compromised during the breach, there is not safe harbor. This is actually very pragmatic. If the keys were compromised, so is the data protection in place). Had BU used encryption software, it would have meant that there was no need to notify anyone. Not because it's a legal loophole, but because the protection afforded by data encryption is real. I'll bet that students would have preferred the use of encryption and no notification over the lack of encryption and notification as well.
Pennsylvania is one of the many states in the US that allow an exemption of publicizing data breaches if the data was encrypted. (There is an exemption to the exemption as well: if the encryption keys were compromised during the breach, there is not safe harbor. This is actually very pragmatic. If the keys were compromised, so is the data protection in place).
Had BU used encryption software, it would have meant that there was no need to notify anyone. Not because it's a legal loophole, but because the protection afforded by data encryption is real. I'll bet that students would have preferred the use of encryption and no notification over the lack of encryption and notification as well.
Related Articles and Sites:http://www.dailyitem.com/0100_news/local_story_315205956.html?keyword=topstoryhttp://www.bloomutoday.com/default.asp?sourceid=&smenu=1&twindow=&mad=&sdetail=1053&wpage=1&skeyword=&sidate=&ccat=&ccatm=&restate=&restatus=&reoption=&retype=&repmin=&repmax=&rebed=&rebath=&subname=&pform=&sc=2533&hn=bloomutoday&he=.comhttp://www.dailyitem.com/0100_news/local_story_315205956.html