Hard Drive Encryption: NY Life Insurance Has Second Breach.

Databreaches.net has noted that New York Life Insurance’s latest letter filed with the Attorney General of New Hampshire is unusually detailed.  A laptop was stolen from a sales agent’s car, and contrary to company policy, the computer was not protected by data encryption software.  The unusual part?  The agent that lost the laptop has been pointed out by name.


Laptop Stolen From Car



According to the letter, the laptop computer was stolen from the agent’s car in what appears to be a smash-and-grab: “…his laptop computer was stolen from his car through a broken window on July 28, 2009.” (The other way to interpret this–that his car window was already broken and someone reached in and grabbed his laptop–is, I hope, not the correct one.)


Sensitive data in the laptop includes names, dates of birth, Social Security numbers, and policy information.  Three NH residents were affected, but the total number of people affected wasn’t revealed.


Two Letters



There are actually two letters in the data breach alert to the NH AG.  One’s a letter addressed to the Attorney General; the other, a sample of what will be sent to potentially affected clients.


This second letter, however, leaves out an important detail.  And by doing so, it implies that data security applications were on the laptop:


“The confidentiality and security of our current and former customers’ personal information is very important to New York Life. We maintain physical, electronic and procedural safeguards that meet state and federal regulations, and we limit employee and agent access to our customers’ information. ” [my emphasis]

At no point does it mention that the stolen laptop was not encrypted, contrary to NY Life’s policies.  Based on the above excerpt, clients can be forgiven for believing that their information was protected via some type of physical or electronic safeguard.


Sales Agent Named



The sales agent was named, as I’ve already mentioned before.  A cynical take would be that NY Life is going out of its way to blame the sales agent involved: It’s not our fault!  It’s Mr. Sales Agent’s fault!  Here; here’s his name!  We have policies that meet federal regulations!


I guess it makes sense, on some level.  A company has a policy that all employees must follow, and here’s this one guy that didn’t use encryption software as per the requirements.  A completely preventable information security breach has come to fruition.


On the other hand, it’s also true that a company has a responsibility to follow up and make sure that people are doing what they’re supposed to be doing.  Assuming that the data security software used at NY Life was centrally managed encryption like AlertBoot, it would have been relatively easy to run a report to see whose laptops were not in compliance with the company’s encryption requirements and take corrective action.



Related Articles and Sites:
http://www.databreaches.net/?p=6689
http://doj.nh.gov/consumer/pdf/nylife2.pdf



Comments (0)


Let us know what you think