The British Columbia Privacy Commissioner's Office is investigating the theft of a laptop from Burnaby General Hospital. A laptop computer, which under the rules was supposed to be protected with disk encryption software such as AlertBoot, was stolen. More than 600 people are affected.
A total of 635 patients had their names, dates of birth, and personal health card numbers in that stolen laptop. The computer was in the Pulmonary Function Lab at the time of the theft. The laptop, contrary to hospital regulations, was not protected with encryption software. The official investigating the matter noted that "health authority [Fraser Health Authority] should be protecting people's privacy before things are stolen, not afterward" and that, We've been saying for years now that portable storage devices, including laptops or flash drives — those kinds of devices, that contain personal information — that information about identifiable individuals must be encrypted. [cbc.ca] Meh. Who hasn't been saying that?
A total of 635 patients had their names, dates of birth, and personal health card numbers in that stolen laptop. The computer was in the Pulmonary Function Lab at the time of the theft. The laptop, contrary to hospital regulations, was not protected with encryption software.
The official investigating the matter noted that "health authority [Fraser Health Authority] should be protecting people's privacy before things are stolen, not afterward" and that,
We've been saying for years now that portable storage devices, including laptops or flash drives — those kinds of devices, that contain personal information — that information about identifiable individuals must be encrypted. [cbc.ca]
Meh. Who hasn't been saying that?
You know what they say about Canadians? More polite than Americans; they read more than Americans; yadda yadda...the comments section shows it to be true. Comments for the most part are thoughtful, and at least half of them run 5 or 6 sentences long. I mean, I know of blog posts that contain less content... Anyhow, one of the recurring questions is, why was a laptop being used to collect data in the first place? Maybe it's just me but it seems that, since the device was stolen from the Pulmonary Function Lab, the laptop was hooked up to some lung-function-measuring apparatus. If so, the rest of the criticisms related to "not storing patient data on laptops" and "it should have been saved on servers" just sloughs off. I mean, can you imagine designing a spirometer so that it connects to a remote server? And people complain that health-care costs are out of whack; when I listen to some people, it's a wonder it's not worse. Believe it or not, there are situations where sensitive information is stored on a laptop for legitimate reasons. This does not mean that what the hospital did was right. All I'm pointing out is that many people are criticizing an irrelevant issue. What they should be asking is: why did the hospital not encrypt their hospital laptop?
You know what they say about Canadians? More polite than Americans; they read more than Americans; yadda yadda...the comments section shows it to be true. Comments for the most part are thoughtful, and at least half of them run 5 or 6 sentences long. I mean, I know of blog posts that contain less content...
Anyhow, one of the recurring questions is, why was a laptop being used to collect data in the first place? Maybe it's just me but it seems that, since the device was stolen from the Pulmonary Function Lab, the laptop was hooked up to some lung-function-measuring apparatus.
If so, the rest of the criticisms related to "not storing patient data on laptops" and "it should have been saved on servers" just sloughs off. I mean, can you imagine designing a spirometer so that it connects to a remote server? And people complain that health-care costs are out of whack; when I listen to some people, it's a wonder it's not worse.
Believe it or not, there are situations where sensitive information is stored on a laptop for legitimate reasons. This does not mean that what the hospital did was right. All I'm pointing out is that many people are criticizing an irrelevant issue.
What they should be asking is: why did the hospital not encrypt their hospital laptop?
Related Articles and Sites:http://www.cbc.ca/canada/british-columbia/story/2010/09/02/bc-stolen-laptop-patient-data.html?ref=rss1#socialcommentshttp://www.theglobeandmail.com/news/national/british-columbia/stolen-burnaby-hospital-laptop-contained-patients-private-information/article1693862/http://www.news1130.com/news/local/article/96826--bc-privacy-watchdog-concerned-some-organizations-are-still-not-encrypting-private-data
AON Corporation recently revealed that the details of 22,000 people were leaked, two weeks ago. I hadn't really covered it because it was not a situation where data protection, such as AlertBoot's drive encryption, would have helped: the information was actually posted on-line. Today, a lawsuit was filed against AON and lawyers are seeking class-action status. In the end, AON will probably come out on top. I'm not a lawyer, so how do I know? History, my friend. History.
AON Corporation recently revealed that the details of 22,000 people were leaked, two weeks ago. I hadn't really covered it because it was not a situation where data protection, such as AlertBoot's drive encryption, would have helped: the information was actually posted on-line.
Today, a lawsuit was filed against AON and lawyers are seeking class-action status. In the end, AON will probably come out on top. I'm not a lawyer, so how do I know?
History, my friend. History.
I've covered the issue before, as have many law-oriented websites. My most recent one is this one, where the Bank of New York Mellon successfully had a similar lawsuit dismissed. In that particular case, a backup tape with sensitive information was lost, potentially putting hundreds of thousands And therein lies the rub. So far, the courts have ruled again and again that the potential for harm is not grounds for a lawsuit. Only if someone can prove harm will the cases have any merit. So, the question with the AON case above is: can harm be proved? Can it be linked directly to the AON breach? Color me a pessimist, but this is another case that will be dismissed, class-action status or not. Unless, of course, someone becomes a victim of ID theft. Isn't that weird and sadly funny? In order to even gain a foothold in this lawsuit, the defendant (or defendants) essentially has to pray for even more damage.
I've covered the issue before, as have many law-oriented websites. My most recent one is this one, where the Bank of New York Mellon successfully had a similar lawsuit dismissed. In that particular case, a backup tape with sensitive information was lost, potentially putting hundreds of thousands
And therein lies the rub. So far, the courts have ruled again and again that the potential for harm is not grounds for a lawsuit. Only if someone can prove harm will the cases have any merit.
So, the question with the AON case above is: can harm be proved? Can it be linked directly to the AON breach? Color me a pessimist, but this is another case that will be dismissed, class-action status or not.
Unless, of course, someone becomes a victim of ID theft. Isn't that weird and sadly funny? In order to even gain a foothold in this lawsuit, the defendant (or defendants) essentially has to pray for even more damage.
Related Articles and Sites:http://www.itnews.com.au/News/230799,aon-leaks-22000-id-records.aspxhttp://www.delawareonline.com/article/20100902/NEWS02/9020337
Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach. I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive. The state's notification law is surprisingly short.
Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach.
I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive.
The state's notification law is surprisingly short.
Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information. Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach: For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)] Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend. I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on. Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities. In fact, many states are updating data breach notification laws to include information breaches of paper documents.
Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information.
Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach:
For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)]
Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend.
I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on.
Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities.
In fact, many states are updating data breach notification laws to include information breaches of paper documents.
According to the law "personal information" is the first name (or initial) and last name combined with: Social security number Driver's license or state ID information Financial information, such as account numbers, credit card numbers, etc. Nothing surprising here.
According to the law "personal information" is the first name (or initial) and last name combined with:
Nothing surprising here.
There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following: The incident in general terms; The type of personal information that was subject to the unauthorized access and acquisition; The general acts of the individual or entity to protect the personal information from further unauthorized access; A telephone number that the person may call for further information and assistance, if one exists; and Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to: E-mail is sent out, for affected persons whose electronic addresses are on file Conspicuous posting on the breached entity's website Notification to state-wide media
There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following:
There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to:
No specific penalties are listed for not complying with CT's breach notification legislation. However, Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)] I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?
No specific penalties are listed for not complying with CT's breach notification legislation. However,
Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)]
I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?
Related Articles and Sites:http://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a-701b.htm
India and communications companies are still (were?) at loggerheads over the use of encryption technology, the same technology that powers AlertBoot endpoint encryption software. It was reported today that, in addition to RIM--the operators of BlackBerry devices--and Skype, Google has been asked to provide access to encrypted information.
I've already covered the story back in early July, when there were rumors that BlackBerries would be banned in India as well as Saudi Arabia; the latter relented from banning BlackBerry service, although it looks like some kind of compromise was reached in August. Not so with India. As I noted in my post from July, India's Department of Telecommunications had initially denied the rumors of a BlackBerry ban. Today, we find the Union Home Secretary stating that "People who operate communication services in India should have a server in India and give data and communication access to law enforcement agencies," per tribuneindia.com, essentially confirming the original rumors (personally, I don't think too many believed the initial statements regarding the rumors.) It was pointed out that Skype and Google would also have to do the same. Nokia has already agreed to set up their servers within India. And, it looks like RIM has agreed to do the same. You can read here what that means for people who rely on their BlackBerry devices for communications security. Google's presence in the latest news surrounding the issue is of note: it's probably due to their recent debut of Google Voice in Gmail.
I've already covered the story back in early July, when there were rumors that BlackBerries would be banned in India as well as Saudi Arabia; the latter relented from banning BlackBerry service, although it looks like some kind of compromise was reached in August.
Not so with India. As I noted in my post from July, India's Department of Telecommunications had initially denied the rumors of a BlackBerry ban. Today, we find the Union Home Secretary stating that "People who operate communication services in India should have a server in India and give data and communication access to law enforcement agencies," per tribuneindia.com, essentially confirming the original rumors (personally, I don't think too many believed the initial statements regarding the rumors.)
It was pointed out that Skype and Google would also have to do the same. Nokia has already agreed to set up their servers within India. And, it looks like RIM has agreed to do the same. You can read here what that means for people who rely on their BlackBerry devices for communications security.
Google's presence in the latest news surrounding the issue is of note: it's probably due to their recent debut of Google Voice in Gmail.
If you're a casual reader of data security news, you might have come across statements such as, "encryption is worthless. I could crack that stuff in less than a day. Proof: all those DVDs that are supposedly protected with encryption but have been cracked, time and again." Sure. And there's no difference between a Ford Focus and a Hummer, because they're both vehicles available to civilians. You could totally crack open a Hummer with a can opener, just like the Focus. (I'm being sarcastic, by the way.) In a sense, the encryption that protects DVDs from piracy is the same technology that protects the above companies' communication channels. However, a DVD player is not the most powerful of devices. Using strong encryption would severely slow down the performance of the device for what is an entertainment device that needs to be cheap enough for the masses. Long story short: there is such a thing as weak encryption out there, and it has its use. In communications devices designed for professionals or with security in mind, strong encryption is used. The difference between them is night and day. Which is why you've got governments "asking" for access. So much for encryption being worthless.
If you're a casual reader of data security news, you might have come across statements such as, "encryption is worthless. I could crack that stuff in less than a day. Proof: all those DVDs that are supposedly protected with encryption but have been cracked, time and again."
Sure. And there's no difference between a Ford Focus and a Hummer, because they're both vehicles available to civilians. You could totally crack open a Hummer with a can opener, just like the Focus. (I'm being sarcastic, by the way.)
In a sense, the encryption that protects DVDs from piracy is the same technology that protects the above companies' communication channels. However, a DVD player is not the most powerful of devices. Using strong encryption would severely slow down the performance of the device for what is an entertainment device that needs to be cheap enough for the masses.
Long story short: there is such a thing as weak encryption out there, and it has its use. In communications devices designed for professionals or with security in mind, strong encryption is used. The difference between them is night and day.
Which is why you've got governments "asking" for access. So much for encryption being worthless.
Related Articles and Sites:http://economictimes.indiatimes.com/infotech/hardware/India-will-not-compromise-on-security-firm-on-BlackBerry/articleshow/6476123.cmshttp://www.tribuneindia.com/2010/20100902/main4.htmhttp://sify.com/finance/govt-to-ask-google-skype-to-give-data-access-news-technology-kjcbOWdjijj.html
The Connecticut Insurance Commissioner issued Bulletin IC-25 earlier this month, officially instructing all Department of Insurance Regulated Entities to "notify the Department of any information security incident[s]." The use of data encryption won't be grounds for granting safe harbor, a departure from the State's own personal information breach disclosure laws. The order to inform the Department extends to the breach of paper records as well--not just digital data found in computers, external drives, etc.--and entities will have give notification within five calendar days after the breach is found. Notification has to be in writing: first class mail, overnight delivery, and e-mail are given as options. The bulletin is quick to point out that it knows that maintaining good information security is overwhelming for any business. In fact, it even "expects" it to be so, which means, I guess, the Department is aware that information security breaches are something it will have to live with (but, of course, continuously work to eliminate). The latest mandate is not meant as a punitive measure: The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process. On the other hand, the Insurance Commissioner also notes: Each incident will be evaluated on its own merits and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. To minimize that potential, licenses and registrants are urged to follow these procedures. I'm sure that penalties will be assessed in only the most egregious circumstances. The bulletin itself is a short read, only 4 pages long, and also contains: Definitions on what comprises an information security incident What must be included in the content of the notification letter Where the Department gains its authority to mandate notification A list of Regulated Entities that needs to In closing, I should point out that the now-mandatory notification under Bulletin IC-25 is to the Department only. As far as I can tell, it's up to the breached companies to figure out whether their clients should be notified of the breach as well. I guess that makes sense, and it also helps explains why the use of encryption software is not grounds for safe harbor, at least not for reporting to the Department itself. If sensitive information is breached but clients are not at risk because encryption is used...well, the clients don't really need to be alerted to the fact that "you're still safe." However, not being informed of a breach doesn't really help the Department figure out the overall picture, and that's what it really seems to want.
The Connecticut Insurance Commissioner issued Bulletin IC-25 earlier this month, officially instructing all Department of Insurance Regulated Entities to "notify the Department of any information security incident[s]." The use of data encryption won't be grounds for granting safe harbor, a departure from the State's own personal information breach disclosure laws.
The order to inform the Department extends to the breach of paper records as well--not just digital data found in computers, external drives, etc.--and entities will have give notification within five calendar days after the breach is found. Notification has to be in writing: first class mail, overnight delivery, and e-mail are given as options.
The bulletin is quick to point out that it knows that maintaining good information security is overwhelming for any business. In fact, it even "expects" it to be so, which means, I guess, the Department is aware that information security breaches are something it will have to live with (but, of course, continuously work to eliminate). The latest mandate is not meant as a punitive measure:
The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process.
On the other hand, the Insurance Commissioner also notes:
Each incident will be evaluated on its own merits and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. To minimize that potential, licenses and registrants are urged to follow these procedures.
I'm sure that penalties will be assessed in only the most egregious circumstances.
The bulletin itself is a short read, only 4 pages long, and also contains:
In closing, I should point out that the now-mandatory notification under Bulletin IC-25 is to the Department only. As far as I can tell, it's up to the breached companies to figure out whether their clients should be notified of the breach as well.
I guess that makes sense, and it also helps explains why the use of encryption software is not grounds for safe harbor, at least not for reporting to the Department itself.
If sensitive information is breached but clients are not at risk because encryption is used...well, the clients don't really need to be alerted to the fact that "you're still safe." However, not being informed of a breach doesn't really help the Department figure out the overall picture, and that's what it really seems to want.
Related Articles and Sites:http://www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf
The P.K. Yonge Development Research School at the University of Florida has announced a data breach affecting students and employees. A laptop computer was stolen from a car, and it looks like hard drive encryption was not used to secure the data (although that won't be true for long).
According to the University of Florida, "P.K. Yonge is a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education." The stolen laptop appears to have been used by an administrator, since the information includes not only student information but employee information as well, such as payroll and parking permit information. The information goes all the way back to 2000, and also includes names, SSNs, and driver's license numbers. Academic and medical records for students were not stored on the computer. Password-protection was used to protect the data, but it appears that encryption software was not. Which begs the question, why not? The theft took place in San Francisco when someone broken into a rental vehicle. In other words, the laptop traveled all the way from Florida to California. It also had to travel back, had it not been stolen. I think it's pretty safe to say that the laptop--which, I remind you, contained restricted information--was outside a secure area for a good while. Plus, one of the more common places where laptops get lost or stolen is at the airport. So, you've got a laptop that's full of sensitive information. It's not only on the move, which means there's already a heightened risk of a data breach, it's heading towards a high risk area when it comes to laptop thefts. (Granted, the laptop was not stolen at the airport; however, you don't come out of a battlefield unscarred and say, "well, putting on my bulletproof vest was useless." Protection requires looking at the situation beforehand and evaluating your risk profile, not evaluating your specific outcome after the fact.) It's quite obvious that laptop encryption like AlertBoot ought to have been used on the laptop. In fact, I would have recommended it regardless of the travel plans, since it contained SSNs and other sensitive information, and was probably kept in a low-security area: in my experience, most college administrative offices tend to have poor physical protection due to the relative safety of campuses. Update: Ah, I forgot. The university for its part has stated that it has started encryption on their laptops, I assume on account of this latest data breach.
According to the University of Florida, "P.K. Yonge is a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education." The stolen laptop appears to have been used by an administrator, since the information includes not only student information but employee information as well, such as payroll and parking permit information.
The information goes all the way back to 2000, and also includes names, SSNs, and driver's license numbers. Academic and medical records for students were not stored on the computer.
Password-protection was used to protect the data, but it appears that encryption software was not. Which begs the question, why not?
The theft took place in San Francisco when someone broken into a rental vehicle. In other words, the laptop traveled all the way from Florida to California. It also had to travel back, had it not been stolen. I think it's pretty safe to say that the laptop--which, I remind you, contained restricted information--was outside a secure area for a good while. Plus, one of the more common places where laptops get lost or stolen is at the airport.
So, you've got a laptop that's full of sensitive information. It's not only on the move, which means there's already a heightened risk of a data breach, it's heading towards a high risk area when it comes to laptop thefts.
(Granted, the laptop was not stolen at the airport; however, you don't come out of a battlefield unscarred and say, "well, putting on my bulletproof vest was useless." Protection requires looking at the situation beforehand and evaluating your risk profile, not evaluating your specific outcome after the fact.)
It's quite obvious that laptop encryption like AlertBoot ought to have been used on the laptop. In fact, I would have recommended it regardless of the travel plans, since it contained SSNs and other sensitive information, and was probably kept in a low-security area: in my experience, most college administrative offices tend to have poor physical protection due to the relative safety of campuses.
Update: Ah, I forgot. The university for its part has stated that it has started encryption on their laptops, I assume on account of this latest data breach.
Related Articles and Sites:http://news.ufl.edu/2010/08/31/yonge-privacy/http://privacy.ufl.edu/incidents/2010/pkyonge/http://www.gainesville.com/article/20100831/ARTICLES/100839928/-1/news?Title=Stolen-P-K-Yonge-laptop-had-8-300-student-employee-records&tc=ar