The theft of a laptop computer from the King County Sheriff's Office (Seattle, WA) has triggered a data breach involving approximately 2,300 people. It's the type of data breach that is easily prevented via the judicious use of laptop encryption like AlertBoot Full Disk Encryption. According to a spokesperson, "there was no malicious intent."
It's the oldest story in the book: computer gets stolen from car. Or, rather, truck, in this case. According to komonews.com:The laptop and a personal hard drive were full of case files, including personal information about thousands of crime victims, suspects, witnesses and even police officers.The laptop was stolen last March from the backseat of a detective's undercover pickup truck.It took KSCO nearly three months to notify victims because "they had to figure out who they needed to notify." Normally, my cynical self would claim that this is hogwash. Washington state, like most states that have data breach notification laws, allows the dissemination of the breach via public notice (like newspapers, the television channels, etc.) if an organization is left without specific ways of notifying victims.However, seeing whose data was involved, it stands to reason that notifying them should be done discretely.
The laptop and a personal hard drive were full of case files, including personal information about thousands of crime victims, suspects, witnesses and even police officers.The laptop was stolen last March from the backseat of a detective's undercover pickup truck.
The detective in question "violated KCSO policy" although it wasn't specified what the policy is. Is it (1) always using encryption softwarewhen sensitive data is stored on a digital storage device, like a laptop or an external hard drive, (2) not storing any sensitive data on devices that were not issued by the Sheriff's Office, (3) never taking sensitive data outside of the office, or (4) a combination of the above (or even something else)?It's obvious to me that the type of policy matters. If it's one of those policies that look good on paper but have zero feasibility, it's hardly fair to the detective at the center of this data breach, isn't it?
According to komonews.com, "this was not the first data loss [the Sheriff's Office] had, but it was the largest." Sigh. Well, at least there is this: the KCSO was in the process of deploying encryption software on all department computers (60% of them encrypted at the time of the theft). Obviously, the stolen computer was not cryptographically protected.Seeing how three months have passed since then, one can only expect that that figure is now at 100%.An easier approach may have been the use of AlertBoot FDE. Because the deployment process occurs over the Internet, any computer that required encryption could have been protected from any internet hotspot. The usual logistics of having to bring in the laptop to the IT department, dropping it off, and picking it up would have been superfluous.