Sometimes, data redaction is not an option, and hence data security solutions like AlertBoot hard drive encryption must be used to secure data–even if data redaction would be, technically, the ideal option. (An ID thief can’t steal what’s not there, right?)
Earlier this year, I had reported how academic researchers had found information belonging to Lockheed Martin on a used hard drive purchased from eBay. Usually, that’s the end of the story (there’s very little continuity to such stories).
However, in this case, it looks like one New Hampshire resident was affected, meaning Lockheed had to file a letter with the state’s Attorney General, as the site databreaches.net has found.
“We are informing you of this incident because your first and last name and Social Security Number (SSN) were contained on the hard drive in question. This was the only personal information found related to you on the drive. We’ve determined that this information was collected between the years of 1999 and 2001 as part of a process to provide access to employees and guests visiting Cape Canaveral and possibly other Lockheed Martin facilities.”
Of course, the question beckons: why is a government contractor collecting SSNs?
Carrying Out Background Checks
I’m taking a stab in the dark here, but it seems to me that the Social Security numbers were necessary for carrying out background checks. (I won’t debate whether SSNs should be used for that purpose; our current reality is that it can be, so a lot of people do…)
Now, it could be argued that once the background checks were completed, the information should have been deleted. I mean, applicants either get access to tour the facilities or they don’t (and if they don’t, maybe you go the extra step of alerting the authorities–hey, there’s this creep trying to get into our facilities!) So, end of story and no need to keep those SSNs.
Except that this assumes that nothing happened afterwards. What if it turns out that, despite the background checks, someone who shouldn’t have been admitted was granted access? You’ll need “paperwork” to protect yourself, one of the elements being the SSNs provided, I assume.
So, even when it’s over, it’s not quite over.
What to do if data redaction/deletion is not a possible solution? With sensitive data–especially that’s saved on a hard disk–I would imagine some type of encryption solution would have been ideal.
Related Articles and Sites: