Automatic Data Processing, Inc (APD) filed a breach notification letter with the New Hampshire Attorney General's office. According to the letter, a laptop was stolen from an ADP employee. The device was protected, possibly with disk encryption software (such as AlertBoot). However, it looks like encryption software may have failed the company in this case.
In the letter, ADP notes that the personal information of 3 New Hampshire residents was possibly compromised in a security incident. On November 12, 2011, the laptop was stolen from an "ADP associate" at his home. The computer was encrypted, as machines with corporate data related to personal information ought to be. However, "there is a possibility that both the encryption and log-on password could have been compromised." What this means specifically, the letter did not disclose. Usually, passwords are compromised via the all-too ubiquitous sticky-note. When one's password is long and complex enough, people tend to write it down. Since this password is important, it generally tends to occupy that one note (you wouldn't want a password to be obscured by phone numbers, people's names, doodles, etc.). That one note tends to be a Post-It. I figure that what happened is that the thief was grabbing the laptop, there was a Post-It in the vicinity which attracted the thief's attention (they're yellow for a reason), he saw it was a password, and grabbed it as well. (Incidentally, do you know why Post-Its are yellow? Many think that it's so it will stand out. Not so.) Regardless of how it actually happened, information pertaining to AW Hastings was compromised. Which is interesting because ADP filed the letter with the NH AG.
In the letter, ADP notes that the personal information of 3 New Hampshire residents was possibly compromised in a security incident. On November 12, 2011, the laptop was stolen from an "ADP associate" at his home. The computer was encrypted, as machines with corporate data related to personal information ought to be.
However, "there is a possibility that both the encryption and log-on password could have been compromised." What this means specifically, the letter did not disclose.
Usually, passwords are compromised via the all-too ubiquitous sticky-note. When one's password is long and complex enough, people tend to write it down. Since this password is important, it generally tends to occupy that one note (you wouldn't want a password to be obscured by phone numbers, people's names, doodles, etc.). That one note tends to be a Post-It.
I figure that what happened is that the thief was grabbing the laptop, there was a Post-It in the vicinity which attracted the thief's attention (they're yellow for a reason), he saw it was a password, and grabbed it as well. (Incidentally, do you know why Post-Its are yellow? Many think that it's so it will stand out. Not so.)
Regardless of how it actually happened, information pertaining to AW Hastings was compromised.
Which is interesting because ADP filed the letter with the NH AG.
Why is it interesting that ADP filed the report? Because most state and federal laws assign the responsibility of protecting data to the original owners of the data. This responsibility also means that the data owners are the ones that notify any agencies and organizations in compliance with the law. Furthermore, it's argued that when an unknown third party sends a breach notification letter, those who are affected by a breach are more than likely to junk that letter unread, believing it to be marketing materials (i.e., junk mail). Take a recent example: when TRICARE had a data breach, it was TRICARE that notified the media and affected people, despite the fact that the actual breach was by SAIC. Had SAIC sent those letters, people might have not paid attention to it. Of course, for the AG, an exception can be made. I guess. After all, what's important is that the AG be notified of the situation, and I can't imagine that the Attorney General's office gets too much junk mail.
Why is it interesting that ADP filed the report? Because most state and federal laws assign the responsibility of protecting data to the original owners of the data. This responsibility also means that the data owners are the ones that notify any agencies and organizations in compliance with the law. Furthermore, it's argued that when an unknown third party sends a breach notification letter, those who are affected by a breach are more than likely to junk that letter unread, believing it to be marketing materials (i.e., junk mail).
Take a recent example: when TRICARE had a data breach, it was TRICARE that notified the media and affected people, despite the fact that the actual breach was by SAIC. Had SAIC sent those letters, people might have not paid attention to it.
Of course, for the AG, an exception can be made. I guess. After all, what's important is that the AG be notified of the situation, and I can't imagine that the Attorney General's office gets too much junk mail.
Related Articles and Sites:http://doj.nh.gov/consumer/security-breaches/documents/aw-hastings-20111208.pdf