Arrow Electronics has notified the New Hampshire Attorney General's office that they have recently experienced a data breach, and have sent out breach notification letters to all who are potentially affected. It looks like disk encryption and other security products and services, such as AlertBoot, were not used in this case.
The breach took place on February 18, when burglars broke into Arrow's New York office and stole a laptop computer. Via backups, it was determined that the stolen device contained the personal information for over 4,000 employees (current and former). The personal information included names, addresses, and telephone numbers. In some instances SSNs were included, as well as corporate and personal credit card numbers--including the security codes and expiration dates. Which is disturbing. Why would my employer need to know my personal credit card information? I'm sure there must be a logical explanation, but still seems unusual. It appears that the breach of credit card information is relegated to those who used company-issued BlackBerries, wireless AirCards, and calling card services. Arrow Electronics is offering the credit monitoring services.
The breach took place on February 18, when burglars broke into Arrow's New York office and stole a laptop computer. Via backups, it was determined that the stolen device contained the personal information for over 4,000 employees (current and former).
The personal information included names, addresses, and telephone numbers. In some instances SSNs were included, as well as corporate and personal credit card numbers--including the security codes and expiration dates.
Which is disturbing. Why would my employer need to know my personal credit card information? I'm sure there must be a logical explanation, but still seems unusual.
It appears that the breach of credit card information is relegated to those who used company-issued BlackBerries, wireless AirCards, and calling card services.
Arrow Electronics is offering the credit monitoring services.
And not just for obvious reasons. Obviously, computer data backups, whether it be just important files or the contents of an entire hard drive, are necessary because one never knows when an emergency or disaster is going to strike. I mean, that's why they're called emergencies, right? But, in this new world where computers are stolen, not because of their hardware value, but because of the data that's in them, only backups allow a company to determine the true extent of a data breach. One of the things you definitely do not want to do is rely upon people's memories to make that determination. Plenty of companies have done that initially--perhaps as a means of speeding up their notifications to various agencies--only to later find via their backups that even more people are involved, or that other, sensitive data was present in stolen machines. People's memories are fallible, and it seems to be even more true when dealing with emergencies. So, when drafting up your data security plans, definitely make sure encryption software for your computers is in place. But, also make sure you've got adequate backup plans as well, for the obvious reasons as well as the not-so-obvious ones, such as legal compliance and notifications. This is especially true if you operate in more than one state. Breach notification rules vary from state to state, and there are those that don't provide safe harbor due to the use of encryption as a means of data protection.
And not just for obvious reasons. Obviously, computer data backups, whether it be just important files or the contents of an entire hard drive, are necessary because one never knows when an emergency or disaster is going to strike. I mean, that's why they're called emergencies, right?
But, in this new world where computers are stolen, not because of their hardware value, but because of the data that's in them, only backups allow a company to determine the true extent of a data breach. One of the things you definitely do not want to do is rely upon people's memories to make that determination.
Plenty of companies have done that initially--perhaps as a means of speeding up their notifications to various agencies--only to later find via their backups that even more people are involved, or that other, sensitive data was present in stolen machines. People's memories are fallible, and it seems to be even more true when dealing with emergencies.
So, when drafting up your data security plans, definitely make sure encryption software for your computers is in place. But, also make sure you've got adequate backup plans as well, for the obvious reasons as well as the not-so-obvious ones, such as legal compliance and notifications.
This is especially true if you operate in more than one state. Breach notification rules vary from state to state, and there are those that don't provide safe harbor due to the use of encryption as a means of data protection.
Related Articles and Sites:http://www.databreaches.net/?p=10543http://doj.nh.gov/consumer/pdf/arrow_electronics.pdf