in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

CD Disc Encryption: Interior Department Loses Encrypted CD, Notifies 7500 Employees

A procurement specialist at the Interior Department's National Business Center reported a CD as missing, which triggered breach notifications to 7,500 federal employees.  This was despite the contents of the CD being protected by data encryption.  Why?  I'm truly perplexed.

Encryption = Protection

The CD was lost around May 26.  Information contained in the disc "was used to support billings from the vendor" and "presumed to be lost in the center's secured, restricted-access area."  It was encrypted and password-protected.  So why the notifications?

The only reason for using encryption software is to protect information.  Otherwise, why use it?  I mean, it adds time to processes; means headaches if you forget the password; have to ensure the receiving party also has the password; etc...if encryption didn't do a good enough job, why would anyone willing go through all of the above?

And yet, here we have a situation where an encrypted CD is lost, within a secure area, and people are notified.  While I prefer people being notified of a breach than not, I also think that there is something to the idea of "data breach overexposure," where people don't pay as much notice once they're acclimated to something--anything.

I feel that, as long as there was adequate protection, a breach notification is not necessary nor recommended.  It's like mail from your bank: once you start getting what amounts to "junk mail" from your bank, you're also apt to ignore the important missive as well, such as bank statements and breach notification letters.

Changing Procedures

Again, puzzling: the business center has reviewed its processes and decided that in the future "this type of data is received only through secure network connections."

If they meant to do this, and the lost CD is the trigger for finally implementing it, I can understand.  However, it they're doing it because they think it offers "better" security...well, does it?

The only way an encrypted CD poses a data risk is if weak encryption was used or if the loss was an inside job.  The former is easily solved: don't use weak encryption.  The latter....well, there is not real effective deterrent to the latter.  But, I should point out that a secure network connection is also fallible to an inside job as well.

In fact, when you think about it, the only reason a secure network connection is secure is because of encryption.  Without additional details, it's kind of hard to tell, but it seems to me that changes were implemented for change's sake, without actually increasing security overall, which sounds as if it was good enough to begin with....


Related Articles and Sites:
http://fcw.com/articles/2010/06/16/interior-loses-cd-with-personal-data-for-7500-federal-employees.aspx

 
<Previous Next>

Ohio Data Breach Notification Law Does Not Apply To Paper Documents

Mexico Data Breach Penalties And Fines: Up To US$ 3 Million

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.