Several blogs have reported that Starbucks employees are receiving letters asking them to watch out for funny business.  According to the letter, a laptop computer with personal information (including name, address and SSN) on 97,000 employees was stolen.  The coffee company last had a major breach approximately two years ago.  It seems likely that laptop computer encryption was not used in this case, if my interpretation of Washington data breach notification laws is correct.  Thankfully, the law is written mostly in civilian-speak, which is good, since I’m not a lawyer,

According to RCW 19.255.010, the breach notification law in Washington,

Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The above emphasis is mine, of course.  It seems to me that had Starbucks used data encryption software (the letter, a copy of which is available here, does not mention whether data protection measures were in place), it wouldn’t be required to notify the theft of the laptop computer to 97,000 employees.  But the company did, and also offered Equifax credit monitoring for one year to all affected, which will cost plenty of ducat; even with a discount, it probably means plunking down close to $1 million, if not more.  What public company would offer such a package when the use of encryption would have protected personal data?  All signs point to “no encryption.”

On the other hand, it could be that Starbucks did encrypt the data and is just being cautious.  After all, Starbucks does try to be a socially conscious company.  Plus, one would imagine that the inventors of the Frapuccino would have the sense to employ information security after the first major breach.  But then why not mention the presence of data protection measures?  My experience is that usually the lack of information is quite revealing as well.

STARBUCKS GOSSIP

A claim is made in the gossip site that the laptop computer was stolen from an employee’s home:

I called the PCC [Partner Contact Center] after I got my letter and they informed me that the laptop was stolen out of someone's home. Apparently the partner who had the laptop stolen worked at the enterprise help desk, but worked out of the home. They were running something related to the databases, and that night i guess his laptop was stolen out of the home. [Posted by: tomokun]

It seems to me that if this guy was officially working out of home, he definitely should have had his laptop contents encrypted.  Many say that the information shouldn’t have been on the laptop to begin with.  I’d agree, on principle, that information on 97,000 current and ex-employees shouldn’t be stored on a laptop in an unsecured environment.

But, let’s be realistic.  Stuff like this happens all the time.  Even logging in remotely doesn’t prevent someone from downloading information to their laptop: Ever feel the frustration of having to wait for your mouse’s pointer to move from one side of the screen to the other, two seconds after you actually moved your mouse?  As long as minor technological hurdles remain, people will attempt to download work to a local machine.  The pragmatic thing to do is to ensure the safety of that data by using encryption.

Other things to point out, based on what I’ve read at the Starbucks Gossip site so far:

• Password protection is not protection.  What you really want is encryption.
• From what I understand, a stolen laptop with sensitive information is not grounds for a class-action suit.  Supposedly, it’s because you can’t sue for what may happen; you can only sue after something has happened -- and what has to happen is ID theft, which has to be directly tied to the laptop theft.  The theft of the laptop itself is considered to be no different from the theft of an ordinary object, like a car. (And, again, I'm not a lawyer).
• Also, the same law I mentioned at the beginning points that those who break the data breach laws will be enjoined, which means they’re prohibited from continuing to committ a certain act.  This means that Starbucks would have to, say, stop storing data on laptops; probably not the expected outcome for most people looking to sue the company.
• As long as this is a case where a laptop computer got stolen, only the local police will get involved.  You may recall cases where the FBI got contacted after a data breach, and it was most probably due to hackers stealing data over the wires.
• The comment by “no melon” regarding the theft of encryption keys using cold air…we’re talking about a one-minute window of opportunity in which to perpetrate the crime.  If the laptop was turned off longer than one-minute there is no issue.  More encryption systems have been bypassed, and will be bypassed, by the simple yet ubiquitous Post-It note with usernames and passwords.

That last one really irks me.  I’ve had people proclaim to me that encryption doesn’t work, and have used the cold-air case as their “proof.”  How is it possible to be so misinformed?  Let me put it this way: would you say that a condom is not an effective means of contraception because a pregnancy will result in 2% of the cases when it’s used properly?  Is Lysol not an effective disinfectant because it only kills 99.9% of germs?

Related Articles:
http://starbucksgossip.typepad.com/_/2008/11/somebody-please.html
http://network.nationalpost.com/np/blogs/theampersand/archive/2008/11/24/starbucks-baristas-might-want-to-double-check-their-bank-statements.aspx
http://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_State
http://seattletimes.nwsource.com/html/retailreport/2008430880_retailreportdige25lap.html