The Department of Human Services (DHS) Gateway Center in Springfield, Oregon, is contacting approximately 3,000 people whose private information was breached when a laptop computer was stolen. The device was protected with encryption software (and password protection), making the notification a bit unusual.
According to kval.com, DHS has notified that people were fingerprinted at either of the following locations were at a risk of identity theft. Willamette Street (Eugene, August 2008 - August 2010) Gateway Center (Springfield, August 2010 - December 2011) The people affected include "DHS staff, volunteers, fosters parents, adoptive placements, respite providers and in-home care providers." The type of sensitive information that was involved was not revealed. Again, the laptop was protected (I presume that full disk encryption software was used), so the risks of a data breach are actually very low, unlike claims I've explored earlier in the week, where the use of password-protection only led some "breachees" to believe that it led to low risk levels.
According to kval.com, DHS has notified that people were fingerprinted at either of the following locations were at a risk of identity theft.
The people affected include "DHS staff, volunteers, fosters parents, adoptive placements, respite providers and in-home care providers." The type of sensitive information that was involved was not revealed.
Again, the laptop was protected (I presume that full disk encryption software was used), so the risks of a data breach are actually very low, unlike claims I've explored earlier in the week, where the use of password-protection only led some "breachees" to believe that it led to low risk levels.
Oregon has a personal data breach disclosure law on its books. Because of the DHS's actions above, I thought it was one of the few states that didn't extend safe harbor to digital data breaches even when cryptographic solutions are used to protect data. It turns out that this is not the case: Oregon provides exemptions from sending these notifications if data is encrypted, as long as the encryption key is not compromised. I'm not sure what to make of it. Obviously, one explanation is that DHS really sent those notification letters "in an abundance of caution," a statement that's perfectly justifiable for them to use since real data protection was in place. Less rosy reasons could be that: The laptop's encryption was hamstringed in some way. For example, the encryption key or the password was compromised (e.g., Post-It notes) Not secure enough encryption algorithm. While there are many ways of encrypting data, the only one that's truly valid is strong encryption. Depending on criteria, a particular way of encrypting data could be deemed weak encryption, meaning it can be brute-forced in a short period. Currently, AES-128 and above is considered strong encryption, as well as its equivalents. Stolen by an insider. If the information was stolen by an insider who has the password, and is suspected of having ties to identity thieves. This is a subset to the first bullet point above.
Oregon has a personal data breach disclosure law on its books. Because of the DHS's actions above, I thought it was one of the few states that didn't extend safe harbor to digital data breaches even when cryptographic solutions are used to protect data. It turns out that this is not the case: Oregon provides exemptions from sending these notifications if data is encrypted, as long as the encryption key is not compromised.
I'm not sure what to make of it. Obviously, one explanation is that DHS really sent those notification letters "in an abundance of caution," a statement that's perfectly justifiable for them to use since real data protection was in place.
Less rosy reasons could be that:
Related Articles and Sites:http://www.kval.com/news/local/State-Stolen-laptop-had-private-info-on-3000-local-people-136106658.html