Charles Schwab and Co. has filed a letter with the Attorney General of New Hampshire, according to pogowasright.org. An employee (now fired) took from company premises a hard disk with confidential information, which was subsequently stolen. It’s not mentioned whether drive encryption software. Normally, I’d say that this is a strong signal that it wasn’t used.
Was Encryption Software Not Used?
Of course, only Charles Schwab can say whether the contents were protected with encryption. Since they haven’t revealed this point, I can only guess (well, I guess I could call their PR department and ask for a clarification…)
Anyhoo, I think it should be pointed out that NH’s data breach notification laws don’t provide safe harbor for companies that use encryption. In other words, the fact that the company alerted the AG is not necessarily indicative of encryption not being used (this law differs with the one in California, for example: if a computer was lost but full disk encryption had been used, and affected California residents, public disclosure is not necessary…for now).
Plus, companies–especially established, big name companies–in the finance sector have been at the forefront of protecting digital information. I’m not saying that all companies managed to get encryption in place; I’m just saying that the odds are pretty high this one is encrypted as well.
Relying on Company Policies
On the other hand, the letter to the AG also notes that the employee took out the disk from company premises when he shouldn’t have. This wouldn’t be the first time a company decided not to encrypt a computer, backup tape, external hard drive, or other data storage device because it was protected by locked doors and security guards.
Since it’s not going anywhere, why install additional protection?
Short answer: because a lot of people don’t do what they’re told to do (or is it, they do what they’re told not to do?)
This is not to say that such policies are unnecessary or ineffective. For the most part, if you hire smart people, educating them tends to work great. And, in the long run, it tends to work better and ends up being cheaper than a software-based solution.
But, mistakes happen. And when something needs to be protected absolutely, you need to go the extra mile.
Related Articles and Sites: