Regal Entertainment Group, the largest movie theater chain in the US, and parent to Regal Cinemas, United Artists Theaters, and Edwards Theaters, has filed a letter with the New Hampshire Attorney General, alerting that they have experienced a data security breach that involves at least 120 New Hampshire residents. While it wasn’t mentioned — and personally, because it wasn’t mentioned — it seems likely that data security solutions like file encryption from AlertBoot encryption software solutions was not used. If someone is using encryption to protect data, it’s usually a fact that’s paraded around; consequently, not mentioning encryption tends to be because it wasn’t used.
Employees are being offered identity theft protection and fraud resolution services for one year, free of charge. And in what may be one of the worst employee-relations letter ever written, employees are being alerted that the company’s investigation “indicates that some of your [the employees’] personal information, including your Social Security number, name, and address may have been included in the lost backup tape. However, it is important to note that absolutely no customer or guest data was exposed.” [emphasis theirs]
I’m sure that customers were not affected is important when you consider the bigger, overall picture. However, is this what a company wants to be emphasizing when sending a letter to employees? Or rather, is this what employees want emphasized? I guess the answer is “yes” if they’re just so totally focused on the customer. However, my guess is that in addition to employees grumbling about management incompetence, a great majority will read the above words and state that the company doesn’t care about them; it’s just human psychology to do so.
It behooves Regal Entertainment Group to start using backup tape encryption. In addition to preventing a recurrence of employee information being at risk, Massachusetts has already passed a law stating that sensitive, personal information must be encrypted if stored in digital format, including those found in backup tapes. And the definition of personal, sensitive information includes the combination of names and SSNs stored in the same medium. Assuming the lost backup tape includes employees working across all states, Regal would have been in breach of Massachusetts law (the law takes effect beginning next year – only two months away) just by losing the backup tape.