Horizon Blue Cross/Blue Shield of New Jersey is notifying over 300,000 members that their names, Social Security numbers, and other information was in a laptop computer stolen on January 5 from the home of an employee who was authorized to take the data home. Well, I’m assuming it’s her home, although the health insurance company pointedly stated that is was not stolen during a robbery. (If it’s not a robbery…what the hell is it? I mean, it’s kinda hard to “pickpocket” a laptop. Or perhaps someone just sauntered in to her home and left with it—no breaking in or anything violent at all?) The employee was allowed to take the data home because Horizon has a work?at?home program and, yes, they do have policies in place to protect their member data. Any personnel who travel would also have to adhere to these policies.
The policies include ensuring the physical security of a laptop, and keeping it in the possession of the employee at all times. Plus, it seems other contingency plans were in place as well. The press release by Horizon stated that the data would be automatically destroyed by the computer on January 23. Only if they had included encryption as part of their data protection efforts. Supposedly encryption of all laptops was already under way at the company, but this particular laptop had not been equipped with it.
As is usually the case in such matters, Horizon stated that there were different levels of password protection.
It’s hard to criticize an organization that has done the right things in many ways. The presence of automatic data deletion is quite rare for most companies; it’s probably rarer than encryption, and to me it shows Horizon is serious about data protection. So why do they have the one and not the other? Beats me. It could be that the last time they reviewed different data protection technologies, whole disk encryption was nixed. Encryption has traditionally had quite an impact on computer performance, and only recently have advances in hardware performance allowed that impact to decrease to barely perceptible levels.
And the thing about encryption is that it has to start from somewhere, and the process is not instantaneous. Even with a managed encryption service like AlertBoot, it would take about 10 minutes on average for equipping one computer (be it a desktop or a laptop) with encryption software. Of course, for companies like this insurer, AlertBoot offers something much more convenient—and something that nears instantaneous installation. I don’t want to get too technical, but AlertBoot can make use of Microsoft Active Directory, for example, to synchronize encryption software installation. Now, chances are that any company that has over 1000 employees is also using Active Directory, so we’re using existing infrastructure to install the encryption software, saving in the process a serious chunk of time—and offering faster, and hence better, data protection.
Of course, my personal feelings are not universally shared. The politicos of New Jersey are grandstanding, saying that they’ll have an investigation into this matter—which they should; I’m not saying that Horizon did good—I’m saying that their efforts are probably better than many companies out there, but still failed. So, they should face the consequences. However, some of these remarks…tsk, tsk. I realize that they have to quell any ire from their constituents, but do politicians really have to sound like they have no idea of what’s going on?
“They treated this information as if they were running a roadside lemonade stand” is supposedly what the Honorable Kevin O’Toole said regarding the incident. Perhaps he didn’t get the memo, but self?destructing data is closer to