Well, the rich certainly have it better than the hoi polloi, even when their identity might be misused.
T. Rowe Price has alerted that thieves were able to make off with two laptops containing the personal information of 401(K) participants. The laptops were stolen from the offices of a contractor, CBIZ Benefits and Insurance, and 35,000 people might be affected by this particular data breach. CBIZ prepares tax forms for T. Rowe, and hence the presence of sensitive data such as names and Social Security Numbers.
The two laptops were stolen on Christmas Eve. Quite a sizable time lag there between the theft and public announcement. If any of these clients lived in
T. Rowe has stated that laptop encryption and other forms of data protection were not specified when they signed up the contractor, and do not hold CBIZ liable for the data breach. In fact, T. Rowe has claimed responsibility for any future cases of ID fraud, and has generously offered credit monitoring and $25,000 in identity theft insurance (hence my glib remark about the hoi polloi). That five?figure number certainly is unheard of.
Perhaps I’m reading too much into the news article that covered this story, but it almost seemed as if T. Rowe Price, while concerned enough about the situation—all laptops used by CBIZ have since been encrypted—was treating the situation as a dry, unusual exercise that wouldn’t happen again. If you want a positive spin on it, I guess you could say that they were being pragmatic and logical about the entire situation, accepting that it was a random incident that probably won’t be replicated any time soon. However, how am I supposed to interpret the following sentence?
“Geffert said the CBIZ division affected by the breach – CBIZ Human Capital Services – has since installed encryption software on its laptops, but it is not considered industry standard to do so.” [From SC Magazine. My emphasis.]
Geffert is associate counsel for CBIZ. He must be a lawyer, because no PR agent would say something like that—it almost seems to imply, hey, we did our best according to what other people have in place. Never mind that we could have done more to begin with. Hmph. I guess I’m admitting that there is value to PR folks. Or perhaps Geffert meant that encrypting laptops that are used in a secure environment, within the office for example, is not an industry standard, which makes sense—if physical security is airtight.
While I cannot give specific examples, I happen to know that many financial companies are actively engaged in encrypting their computers, especially laptops. The reasons for doing so are quite obvious. Besides the T. Rowe case above, which has affected a relatively small number of clients, there have been other high?profile cases where potentially affected clients numbered in the hundreds of thousands. However, those cases reflected instances where a laptop was lost or stolen outside the confines of the office.
Here’s the reason why it’s a fallacy to encrypt laptop computers only, or computers that are constantly on the move: Things get stolen from within a company’s walls all the time. We have instances of “poseurs” who infiltrate companies specifically for stealing computers. The janitorial staff may decide to haul some hardware and quit their job. Security guards are known to have stolen from the job. This is not news; it happens, and it’s quite commonplace, some more than others. Does it happen at a greater rate than lost laptops? Probably not.
But it happens—and since security tends to be more lax for such computers (i.e., there’s a lack of encryption), when it does happen the repercussions are going to be dire. In fact, my belief is that once the world finishes encrypting all laptops with encryption services like AlertBoot, they’re gonna find that all the data thefts are coming primarily from inside—you know, where security is the weakest.