Over 70,000 Alaskans have had their personal information "misplaced." People who are affected are former and current state employees who participated in the PERS and TRS system--Alaska's retirement systems. It wasn't revealed how the breach occurred, but I'm assuming it was digital, and that data encryption was not used.
The breach was discovered in early December by the auditing firm, but the state was not notified until last week, according to press releases. Names, dates of birth, and Social Security numbers of employees that participated in the Public Employees Retirement System (PERS) and the Teachers Retirement System (TRS), between 2003 and 2004, were affected. The breach does not affect anyone hired after these years. PwC had the information as part of an on-going lawsuit in which it was representing the state. In December, PwC found that the information could not be found. PwC has settled with the state of Alaska, and is offering free credit monitoring and identity theft protection for all of those affected. It will also be responsible in the event any funds are stolen from the 77,000 state employees.
The breach was discovered in early December by the auditing firm, but the state was not notified until last week, according to press releases. Names, dates of birth, and Social Security numbers of employees that participated in the Public Employees Retirement System (PERS) and the Teachers Retirement System (TRS), between 2003 and 2004, were affected. The breach does not affect anyone hired after these years.
PwC had the information as part of an on-going lawsuit in which it was representing the state. In December, PwC found that the information could not be found.
PwC has settled with the state of Alaska, and is offering free credit monitoring and identity theft protection for all of those affected. It will also be responsible in the event any funds are stolen from the 77,000 state employees.
Why am I assuming it was digital information--data on computers, external hard drives, USB flash drives, and the like? For the simple matter that if you were to print stuff out where there are 77 names on each page, it would be a 1,000-page document. Those are kind of hard to miss and leave behind. On the other hand, losing something like a USB memory disk with a spreadsheet of 77,000 names? It's happened before. Furthermore, if you read the security breach factsheet (link below), you'll notice that firewalls and encryption are specifically mentioned as measures the state of Alaska has implemented (in general, not as a response to this incident) to protect personal information. Why mention it if this was not a digital data breach, as opposed to a paper data breach? I guess it could be part of a boilerplate statement, and perhaps I'm reading too much into it. And, my further assumption is that encryption software was not used if the breach did occur due to the loss of a USB disk or similar device. Why? Because of Alaska's Laws.
Why am I assuming it was digital information--data on computers, external hard drives, USB flash drives, and the like? For the simple matter that if you were to print stuff out where there are 77 names on each page, it would be a 1,000-page document. Those are kind of hard to miss and leave behind.
On the other hand, losing something like a USB memory disk with a spreadsheet of 77,000 names? It's happened before. Furthermore, if you read the security breach factsheet (link below), you'll notice that firewalls and encryption are specifically mentioned as measures the state of Alaska has implemented (in general, not as a response to this incident) to protect personal information.
Why mention it if this was not a digital data breach, as opposed to a paper data breach? I guess it could be part of a boilerplate statement, and perhaps I'm reading too much into it.
And, my further assumption is that encryption software was not used if the breach did occur due to the loss of a USB disk or similar device. Why? Because of Alaska's Laws.
Alaska's data breach notification law went into effect last year. Among other things, violations of the law means a penalty of $500 per person not notified, with a $50,000 cap, and the possibility of further collections via lawsuits. Furthermore, the law's definition of personal information includes first and last names, and their SSNs. If such information is lost, then a data breach is considered to have taken place. Unless the information is encrypted: "personal information" means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of...[ Sec. 45.48.090 (7)] If the information was encrypted, PwC wouldn't have been required to alert anyone, if I'm reading the above correctly. And, even if I'm wrong about such a conclusion, I'm pretty sure PwC wouldn't be offering credit and identity theft protection (which I'm assuming must cost anywhere between $500,000 to $1.5 million) if they had used data encryption software to secure the information: the risks of a full blow breach are as minimal as they can get. Heck, a guy would score a better chance of reconstructing shredded documents than hacking into encrypted data.
Alaska's data breach notification law went into effect last year. Among other things, violations of the law means a penalty of $500 per person not notified, with a $50,000 cap, and the possibility of further collections via lawsuits.
Furthermore, the law's definition of personal information includes first and last names, and their SSNs. If such information is lost, then a data breach is considered to have taken place.
Unless the information is encrypted:
"personal information" means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of...[ Sec. 45.48.090 (7)]
If the information was encrypted, PwC wouldn't have been required to alert anyone, if I'm reading the above correctly. And, even if I'm wrong about such a conclusion, I'm pretty sure PwC wouldn't be offering credit and identity theft protection (which I'm assuming must cost anywhere between $500,000 to $1.5 million) if they had used data encryption software to secure the information: the risks of a full blow breach are as minimal as they can get.
Heck, a guy would score a better chance of reconstructing shredded documents than hacking into encrypted data.
Related Articles and Sites:http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDFhttp://www.businessweek.com/ap/financialnews/D9DGVUE01.htmhttp://www.alaskadispatch.com/images/media/files/news/politics/price-waterhouse-security-breach-factsheet.pdfhttp://newsminer.com/pages/full_story/push?blog-entry-Security+breach+may+affect+77-000+Alaskans%20&id=5689968&instance=blogs_editors_deskhttp://www.ktuu.com/Global/story.asp?S=11896773
Three laptop computers were stolen from the offices of the Ontario Teachers Insurance Plan, resulting in the data breach of sensitive, personal information for 8,600 teachers. Data encryption software such as AlertBoot was not used to protect the contents, although password protection was used (which is quite problematic).
The stolen laptops contained names, addresses, birth dates and social insurance numbers, and mostly affects teachers who "work at elementary schools for the Toronto District School Board." The laptops were stolen during a break-in on December 3. Aside from the three laptops, cash from a cafeteria register was stolen. The thieves tried to break into the supplies closet as well. Signs point towards a "regular" robbery, where the laptops were taken because they've got resale value, not because they may contain valuable data.
The stolen laptops contained names, addresses, birth dates and social insurance numbers, and mostly affects teachers who "work at elementary schools for the Toronto District School Board."
The laptops were stolen during a break-in on December 3. Aside from the three laptops, cash from a cafeteria register was stolen. The thieves tried to break into the supplies closet as well. Signs point towards a "regular" robbery, where the laptops were taken because they've got resale value, not because they may contain valuable data.
The fact that this looks like your average break-in, and that it may have started as just a break-in, does not preclude the fact that this may become a full blown data breach of personal information. As I have argued many times before, theft of laptops can easily become a data breach, especially now that the world knows how valuable personal, sensitive information happens to be (otherwise, you wouldn't have guys in Nigeria targeting Americans and Canadians). It's not a stretch to imagine the thieves trying to get a look at what's in the computer before loading it off on craigslist or eBay. And, password-protection doesn't quite cut it. A simple search in Google on getting around password-protection will show quite a list of ways to do so, including oh-always-helpful YouTube videos. I mean, you could be illiterate and still learn how to do bypass passwords.
The fact that this looks like your average break-in, and that it may have started as just a break-in, does not preclude the fact that this may become a full blown data breach of personal information.
As I have argued many times before, theft of laptops can easily become a data breach, especially now that the world knows how valuable personal, sensitive information happens to be (otherwise, you wouldn't have guys in Nigeria targeting Americans and Canadians). It's not a stretch to imagine the thieves trying to get a look at what's in the computer before loading it off on craigslist or eBay.
And, password-protection doesn't quite cut it. A simple search in Google on getting around password-protection will show quite a list of ways to do so, including oh-always-helpful YouTube videos. I mean, you could be illiterate and still learn how to do bypass passwords.
This is why encryption software is necessary on any computers that may store sensitive information. Unlike password-protection, encryption ensures data security because it's designed for serious data security. As an example, contrast it to googling password-protection. If you search for "bypassing encryption" in Google, you'll find either technical documents and theories, or backdoors (or supposed backdoors) that require the aid the actual owner of the computer. No YouTube videos are to be found. This is just an indication--aside from government and academic studies; the use of logic; the opinion of experts; etc.--on how hard it is to override encryption once it's in place. I wouldn't be surprised if, after examining their security policies, the insurance plan would opt to encrypt any computers that hold sensitive information.
This is why encryption software is necessary on any computers that may store sensitive information. Unlike password-protection, encryption ensures data security because it's designed for serious data security.
As an example, contrast it to googling password-protection. If you search for "bypassing encryption" in Google, you'll find either technical documents and theories, or backdoors (or supposed backdoors) that require the aid the actual owner of the computer. No YouTube videos are to be found.
This is just an indication--aside from government and academic studies; the use of logic; the opinion of experts; etc.--on how hard it is to override encryption once it's in place.
I wouldn't be surprised if, after examining their security policies, the insurance plan would opt to encrypt any computers that hold sensitive information.
Related Articles and Sites:http://www.cbc.ca/canada/windsor/story/2010/01/27/teachers-laptop-data494.html#ixzz0dr8O0LeP
Over here at AlertBoot, one of the examples we give from time to time on how laptop encryption software can protect your data is a what-if scenario: someone stealing your laptop while you're working at local Starbucks. (We use Starbucks because, as coffee shops go, they're pretty ubiquitous; at least, they are in metropolitan areas.) Well, that what-if scenario has become a real, documented one.
Over here at AlertBoot, one of the examples we give from time to time on how laptop encryption software can protect your data is a what-if scenario: someone stealing your laptop while you're working at local Starbucks. (We use Starbucks because, as coffee shops go, they're pretty ubiquitous; at least, they are in metropolitan areas.)
Well, that what-if scenario has become a real, documented one.
According to gainesville.com, a man stole a woman's laptop computer while she was working on it at a local Starbucks. Can you imagine? You're sitting at one of those round tables, sipping a cappuccino with extra foam or whatever, your computer up and running; and then, some random guy comes up to your table, grabs your computer, and makes a beeline for the door. The man, Curtis L. Kinsey, was arrested, eventually--it looks like the police matched him up to a suspect's description--but not before trading the computer for crack cocaine. The computer was recovered and returned to the owner. No word on whether the guy who peddled the crack was also arrested. What kills me about the entire incident is that, if you check out the URL for the article (found at the bottom of this post), you'll see that the incident was classified as "entertainment."
According to gainesville.com, a man stole a woman's laptop computer while she was working on it at a local Starbucks. Can you imagine?
You're sitting at one of those round tables, sipping a cappuccino with extra foam or whatever, your computer up and running; and then, some random guy comes up to your table, grabs your computer, and makes a beeline for the door.
The man, Curtis L. Kinsey, was arrested, eventually--it looks like the police matched him up to a suspect's description--but not before trading the computer for crack cocaine.
The computer was recovered and returned to the owner. No word on whether the guy who peddled the crack was also arrested.
What kills me about the entire incident is that, if you check out the URL for the article (found at the bottom of this post), you'll see that the incident was classified as "entertainment."
The laptop was recovered, and chances are there wasn't a data breach...on the other hand, who's to know? If the laptop's owner did not have any data security software in place--the most basic, and perhaps worthless, being password-protection and the most secure being encryption software--there's no real way to know. Also, take into consideration the following: assume the laptop in question had contained sensitive information, and that there was no data protection in place. Because it took some time to recover the laptop, one must also assume the possibility, if not the probability, of data theft. However, most would just think "computer lost. Computer recovered. Since nothing is missing, no data breach." Furthermore, the incentive is there not to report the incident. Doing the "right thing" may end up in someone getting fired--that "someone" being the person who lost the laptop and has to do the reporting. If full disk encryption (FDE) were used to protect the contents of the laptop, however, there would be no need to worry about such scenarios. Instead, if a computer with disk encryption were stolen, you only need to worry about the following: Is there any way for the thief to gain the password that will allow access to the computer? How easy is it to guess the password? Is there a limit on how many bad guesses at the password can be attempted before the computer locks up completely? The answer to the first two questions can be provided by the user, and the last one can be corroborated by accessing the encryption policies. Once the answers to these questions are found to be affirmative towards the company's security goals, everyone involved can rest assured that a data breach will not occur. And, if the laptop were to be recovered eventually, it'd be easy to tell whether the contents were accessed, since most encryption software keep logs on the dates and times when the computer was accessed.
The laptop was recovered, and chances are there wasn't a data breach...on the other hand, who's to know? If the laptop's owner did not have any data security software in place--the most basic, and perhaps worthless, being password-protection and the most secure being encryption software--there's no real way to know.
Also, take into consideration the following: assume the laptop in question had contained sensitive information, and that there was no data protection in place. Because it took some time to recover the laptop, one must also assume the possibility, if not the probability, of data theft.
However, most would just think "computer lost. Computer recovered. Since nothing is missing, no data breach." Furthermore, the incentive is there not to report the incident. Doing the "right thing" may end up in someone getting fired--that "someone" being the person who lost the laptop and has to do the reporting.
If full disk encryption (FDE) were used to protect the contents of the laptop, however, there would be no need to worry about such scenarios. Instead, if a computer with disk encryption were stolen, you only need to worry about the following:
The answer to the first two questions can be provided by the user, and the last one can be corroborated by accessing the encryption policies. Once the answers to these questions are found to be affirmative towards the company's security goals, everyone involved can rest assured that a data breach will not occur.
And, if the laptop were to be recovered eventually, it'd be easy to tell whether the contents were accessed, since most encryption software keep logs on the dates and times when the computer was accessed.
Related Articles and Sites:http://www.gainesville.com/article/20100127/ARTICLES/100129541/-1/ENTERTAINMENT?Title=Man-arrested-for-stealing-laptop-in-coffee-shop
BlueCross BlueShield of Tennessee has spent more than $7 million cleaning up after a data breach they had announced in October 2009. I'd say there was a good chance that all of this could have been averted with the use of hard drive encryption.
In October of last year, BCBS of TN announced the theft of hard drives from a training facility. Initially, reports had mentioned that 68 drives had been stolen, but more recent stories are reporting that it was actually 57 drives. Overall, it was a highly frustrating story to keep track of. Aside from the above, it was at times reported that personal information was unlikely to exist in the stolen drives. Then, BCBS did an about-face, saying that personal information was stored on the devices. Also, initial reports noted that encryption software was used on the hard drives. About two months later, it turned out that encryption was not used; the data was encoded. Whatever that means. I'm not sure how much we can blame BCBS on these reversals in details, though. On-line news has become so trigger-happy that sometimes the blame lies on the messenger.
In October of last year, BCBS of TN announced the theft of hard drives from a training facility. Initially, reports had mentioned that 68 drives had been stolen, but more recent stories are reporting that it was actually 57 drives.
Overall, it was a highly frustrating story to keep track of. Aside from the above, it was at times reported that personal information was unlikely to exist in the stolen drives. Then, BCBS did an about-face, saying that personal information was stored on the devices.
Also, initial reports noted that encryption software was used on the hard drives. About two months later, it turned out that encryption was not used; the data was encoded. Whatever that means.
I'm not sure how much we can blame BCBS on these reversals in details, though. On-line news has become so trigger-happy that sometimes the blame lies on the messenger.
Why is it costing BCBS so much money? Especially when you consider they aren't even done with their investigation? I imagine a sizable portion is due to the free credit-monitoring service that was offered to those affected. Of the 220,000 people that were notified, 20,500 have already signed up for the service. It also turns out that they've got 700 people working on identifying what and who was breached. Why 700 people? The information included video and audio files. I assume that, since there is no reliable way of extracting information from such files, people have to play the files one by one and note whether names, SSNs, and other personal information is found within them. Like I've noted, the use of disk encryption would have prevented the need for expending so much money and manpower and time (recently passed HITECH laws give safe harbor when encryption is used to protect data controlled by HIPAA-covered entities, if I'm not wrong). On the other hand, an alternative and better method may have been destroying any data that was not necessary anymore, operational or legal-wise.
Why is it costing BCBS so much money? Especially when you consider they aren't even done with their investigation? I imagine a sizable portion is due to the free credit-monitoring service that was offered to those affected. Of the 220,000 people that were notified, 20,500 have already signed up for the service.
It also turns out that they've got 700 people working on identifying what and who was breached. Why 700 people? The information included video and audio files. I assume that, since there is no reliable way of extracting information from such files, people have to play the files one by one and note whether names, SSNs, and other personal information is found within them.
Like I've noted, the use of disk encryption would have prevented the need for expending so much money and manpower and time (recently passed HITECH laws give safe harbor when encryption is used to protect data controlled by HIPAA-covered entities, if I'm not wrong).
On the other hand, an alternative and better method may have been destroying any data that was not necessary anymore, operational or legal-wise.
Related Articles and Sites:http://alertboot.com/blog/blogs/endpoint_security/archive/2009/10/06/data-encryption-software-on-68-missing-blue-cross-blue-shield-hard-drives.aspxhttp://www.ihealthbeat.org/articles/2010/1/26/tab-for-response-to-data-breach-hits-7m-for-bcbs-of-tennessee.aspx
The Methodist Hospital in Houston, Texas has alerted nearly 700 people that their medical information was compromised when a laptop computer was stolen. Hard disk encryption was not used to secure the information, it appears, based on what I'm reading.
According to reports, the computer was "attached to a medical device that tests pulmonary function." I take it to mean that it was recording information while hooked up to various medical testing devices. (You know what I'm talking about if you've ever seen one of those Gatorade ads where a sports star is hooked up to a myriad of wires in a lab and running on a treadmill. You know, right before they splash their drink all over their faces. You'd think these guys would have better eye-hand coordination....) Anyhow, aside from data relating to lung capacities, Social Security numbers were included as well. I can't think of any reason for the inclusion of the SSN except as an identifier (you know, to differentiate between Bob Smith and Bob Smith).
According to reports, the computer was "attached to a medical device that tests pulmonary function." I take it to mean that it was recording information while hooked up to various medical testing devices.
(You know what I'm talking about if you've ever seen one of those Gatorade ads where a sports star is hooked up to a myriad of wires in a lab and running on a treadmill. You know, right before they splash their drink all over their faces. You'd think these guys would have better eye-hand coordination....)
Anyhow, aside from data relating to lung capacities, Social Security numbers were included as well. I can't think of any reason for the inclusion of the SSN except as an identifier (you know, to differentiate between Bob Smith and Bob Smith).
One of the sites that covered the story, www.chron.com, has a modestly active comments section. There are people saying that the information should have been stored on a central server that was secure. I beg to disagree. Like a particular commentator noted, clinical software is specialized, and requires "local data." Think of it this way: there's no way for you to save "on a server" a memo you're writing up on Microsoft's WordPad. Technically, you could go with a "virtual environment" to achieve it, but the costs and complexity would probably be too much. Besides, what if the application has to be used in an environment where a communications network (internet, LAN, etc) is not available? A better method would be installing encryption software like AlertBoot on the laptop. This way, the information on the laptop is protected if the device is stolen while easily allowing authorized users access to it.
One of the sites that covered the story, www.chron.com, has a modestly active comments section. There are people saying that the information should have been stored on a central server that was secure.
I beg to disagree. Like a particular commentator noted, clinical software is specialized, and requires "local data." Think of it this way: there's no way for you to save "on a server" a memo you're writing up on Microsoft's WordPad. Technically, you could go with a "virtual environment" to achieve it, but the costs and complexity would probably be too much.
Besides, what if the application has to be used in an environment where a communications network (internet, LAN, etc) is not available?
A better method would be installing encryption software like AlertBoot on the laptop. This way, the information on the laptop is protected if the device is stolen while easily allowing authorized users access to it.
Related Articles and Sites:http://www.chron.com/disp/story.mpl/metropolitan/6835241.htmlhttp://abclocal.go.com/ktrk/story?section=news/local&id=7240553
Can disk encryption software ever deliver a positive ROI? Yes, I'd argue, if you take the following release into consideration: The Ponemon Institute's annual findings on the cost of customer data breaches.
The survey by the Ponemon Institute is an annual one, and started five years ago: The initial findings at that time showed costs of $138 per customer record breached. In 2009, the costs per customer reached $209. Considering the 2008 findings, where the breach costs were an average of $207, it looks like the cost of data breaches has reached something of a plateau. (This may soon change, though, seeing how states seem to be updating their data privacy laws. Plus, there's movement on the federal front. In November 2009, the Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee, and is now facing the vote of the full Senate.) Negligence, such as lost laptops, topped the list of root causes at 40%. Glitches and malicious attacks followed with 36% and 24% of the cases, respectively. It was also found that the presence of a Chief Information Security Officer (CISO) has an effect on the costs. Companies with a CISO showed an average cost of $157 per record breached, while those without one had breach costs of $236.
The survey by the Ponemon Institute is an annual one, and started five years ago: The initial findings at that time showed costs of $138 per customer record breached. In 2009, the costs per customer reached $209.
Considering the 2008 findings, where the breach costs were an average of $207, it looks like the cost of data breaches has reached something of a plateau.
(This may soon change, though, seeing how states seem to be updating their data privacy laws. Plus, there's movement on the federal front. In November 2009, the Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee, and is now facing the vote of the full Senate.)
Negligence, such as lost laptops, topped the list of root causes at 40%. Glitches and malicious attacks followed with 36% and 24% of the cases, respectively.
It was also found that the presence of a Chief Information Security Officer (CISO) has an effect on the costs. Companies with a CISO showed an average cost of $157 per record breached, while those without one had breach costs of $236.
ROI is a measure that cannot really be applied to security software. Think about it: a "return" implies that there is a chance of future revenues due to an investment today. Security software are cost centers, and any ROIs will always be negative by definition. It's like expecting a return from your life insurance: it's not that you can't get a return, it's just that you'll have to go through a sizable accident in order to get it. I don't know too many people who are willing to do that. That being said, it you couple up the costs of protecting your data with surveys like the above, you can begin to get a feel whether encryption software is "worth it." For example, assume the cost per customer is $200. Now, take into consideration that full disk encryption, like AlertBoot, comes to around $160 per employee. Also take into consideration the fact that most companies have more customers than employees, and assume that a typical company will have a breach every 5 years. If we assume that there are 2000 customers being supported by 500 employees (a very generous ratio), plus breach costs of $200 per customer and $160 per employee for encrypting laptops, we get the following: As you can see, the costs balance out on the fifth year. Technically, if the company has a breach every 4 years, they're seeing a "positive ROI." (Yes, I'm assuming the customers are not increasing nor decreasing, employees are not being fired, etc. I am, however, taking into consideration that AlertBoot is a managed service.) On the 6th year, the company is seeing a "negative ROI"--not that I would agree with such a conclusion. After all, the use of encryption means there was no breach, an important thing to keep in mind when considering the "cost of data breaches." Also keep in mind that if the customer-employee ratio were a more reasonable 2000 to 250, the costs would balance out on the tenth year, meaning a "positive ROI" up to year 9. In practical terms, that means data encryption software for laptops like AlertBoot is worth it: I'd assume that most companies won't go ten years without having at least one data breach.
ROI is a measure that cannot really be applied to security software. Think about it: a "return" implies that there is a chance of future revenues due to an investment today.
Security software are cost centers, and any ROIs will always be negative by definition. It's like expecting a return from your life insurance: it's not that you can't get a return, it's just that you'll have to go through a sizable accident in order to get it. I don't know too many people who are willing to do that.
That being said, it you couple up the costs of protecting your data with surveys like the above, you can begin to get a feel whether encryption software is "worth it."
For example, assume the cost per customer is $200. Now, take into consideration that full disk encryption, like AlertBoot, comes to around $160 per employee. Also take into consideration the fact that most companies have more customers than employees, and assume that a typical company will have a breach every 5 years.
If we assume that there are 2000 customers being supported by 500 employees (a very generous ratio), plus breach costs of $200 per customer and $160 per employee for encrypting laptops, we get the following:
As you can see, the costs balance out on the fifth year. Technically, if the company has a breach every 4 years, they're seeing a "positive ROI." (Yes, I'm assuming the customers are not increasing nor decreasing, employees are not being fired, etc. I am, however, taking into consideration that AlertBoot is a managed service.)
On the 6th year, the company is seeing a "negative ROI"--not that I would agree with such a conclusion. After all, the use of encryption means there was no breach, an important thing to keep in mind when considering the "cost of data breaches."
Also keep in mind that if the customer-employee ratio were a more reasonable 2000 to 250, the costs would balance out on the tenth year, meaning a "positive ROI" up to year 9.
In practical terms, that means data encryption software for laptops like AlertBoot is worth it: I'd assume that most companies won't go ten years without having at least one data breach.
Related Articles and Sites:http://news.idg.no/cw/art.cfm?id=64C34A39-1A64-67EA-E449D53EB1258EDBhttp://www.networkworld.com/news/2010/012510-data-breach-costs.html