Several blogs have reported that Starbucks employees are receiving letters asking them to watch out for funny business. According to the letter, a laptop computer with personal information (including name, address and SSN) on 97,000 employees was stolen. The coffee company last had a major breach approximately two years ago. It seems likely that laptop computer encryption was not used in this case, if my interpretation of Washington data breach notification laws is correct. Thankfully, the law is written mostly in civilian-speak, which is good, since I’m not a lawyer,
According to RCW 19.255.010, the breach notification law in Washington,
Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The above emphasis is mine, of course. It seems to me that had Starbucks used data encryption software (the letter, a copy of which is available here, does not mention whether data protection measures were in place), it wouldn’t be required to notify the theft of the laptop computer to 97,000 employees. But the company did, and also offered Equifax credit monitoring for one year to all affected, which will cost plenty of ducat; even with a discount, it probably means plunking down close to $1 million, if not more. What public company would offer such a package when the use of encryption would have protected personal data? All signs point to “no encryption.”
On the other hand, it could be that Starbucks did encrypt the data and is just being cautious. After all, Starbucks does try to be a socially conscious company. Plus, one would imagine that the inventors of the Frapuccino would have the sense to employ information security after the first major breach. But then why not mention the presence of data protection measures? My experience is that usually the lack of information is quite revealing as well.
A claim is made in the gossip site that the laptop computer was stolen from an employee’s home:
I called the PCC [Partner Contact Center] after I got my letter and they informed me that the laptop was stolen out of someone's home. Apparently the partner who had the laptop stolen worked at the enterprise help desk, but worked out of the home. They were running something related to the databases, and that night i guess his laptop was stolen out of the home. [Posted by: tomokun]
It seems to me that if this guy was officially working out of home, he definitely should have had his laptop contents encrypted. Many say that the information shouldn’t have been on the laptop to begin with. I’d agree, on principle, that information on 97,000 current and ex-employees shouldn’t be stored on a laptop in an unsecured environment.
But, let’s be realistic. Stuff like this happens all the time. Even logging in remotely doesn’t prevent someone from downloading information to their laptop: Ever feel the frustration of having to wait for your mouse’s pointer to move from one side of the screen to the other, two seconds after you actually moved your mouse? As long as minor technological hurdles remain, people will attempt to download work to a local machine. The pragmatic thing to do is to ensure the safety of that data by using encryption.
Other things to point out, based on what I’ve read at the Starbucks Gossip site so far:
That last one really irks me. I’ve had people proclaim to me that encryption doesn’t work, and have used the cold-air case as their “proof.” How is it possible to be so misinformed? Let me put it this way: would you say that a condom is not an effective means of contraception because a pregnancy will result in 2% of the cases when it’s used properly? Is Lysol not an effective disinfectant because it only kills 99.9% of germs?
Well, it took some time, but it looks like the lack of laptop encryption software is translating into