New Hampshire is one of the few states that require a data breach notification even if sensitive information was protected via data protection programs like AlertBoot disk encryption software. This means that companies like Normandeau Associates must file a letter with the Attorney General when a laptop gets stolen….even if they were practicing caution and used file encryption.
Normandeau Associates Reports Stolen Laptop
According to the letter filed with the AG, a computer with personal information of 277 NH residents (who knows how many more were affected) was stolen from an employee’s home in November 2008. It was recovered in February 2009.
However, the fact that the laptop was stolen did not come to light until June 2009.
According to a copy of the letter sent to affected residents, the laptop contained a database of past and current Normandeau employees, including SSNs, names, and bank account numbers.
Computer Policy Not Followed (Unintentionally, Of Course)
So, why was this database on the laptop computer? Normandeau explained that while they do not normally allow the storage of such information on laptops, the file in this case was temporarily stored on the laptop while the company’s network was being restored.
The information was supposed to be deleted, but wasn’t, which is being chalked up to an oversight.
Thankfully enough, the file was encrypted, and required specific software to access the data. So, why all the fuss? Normandeau is recommending that all who were contacted place a fraud alert on their credit files.
There Are Different Levels Of Encryption
I can only suppose at this point, but I assume the hubbub is over the encryption itself. There are different levels of encryption, and depending on how strong (or weak) the database’s encryption happens to be, there could have been a data breach.
For example, text documents written under the “Microsoft Word” word processing program can be encrypted. However, the encryption used is the weak kind (at least, it was during the early 2000’s, if I recall correctly), so if one has the wherewithal, one could gain access to a protected Word file. I have found on-line sites advertising such services for $50 or less, with a turnaround time of a week or less.
(What such services engage in is probably brute-force hacking, where all possible encryption key combinations are tried to see what works, not unlike going through all combinations on a three-wheeled lock.)
Don’t forget, the computer was outside the company’s hands for at least 2 months (assuming it was lost on November 30 and recovered on February 1). Again, depending on the type of encryption used, there could have been a serious breach.
The use of whole disk encryption could have helped, but only because companies that make it their business of offering encryption software tend to concentrate to the strong stuff, and don’t even allow outdated, weak encryption to be an option.
Related Articles and Sites: