The theft of a laptop from an employee’s car has led the Iowa Department of Agriculture and Land Stewardship (IDALS) to announce a data breach. The laptop computer made use of data encryption software (something similar to hard disk encryption, probably). So they the announcement of a breach?
3,404 Iowans Affected
The breach affects Iowa residents that participated in the Iowa Horse and Dog Breeding Program. The laptop was stolen from an employee’s car during a car break-in yesterday (July 22). The computer contained names, addresses, phone numbers, and Social Security numbers.
It was stated that “the computer did have an encryption protection” but the department is encouraging that people sign up for ID fraud alerts and such.
Why the Breach Announcement?
Iowa passed a data breach notification law around 2008. Losing a person’s first and last name, along with the SSN, are grounds for sending out notification letters. Unless encryption software is used, that is. If encryption was used to protect the information, safe harbor is granted from going public.
There is, however, a provision in there that requires a breach notification if there is an elevated risk to those involved in the breach.
Could it mean that the machine was encrypted, but the password for accessing the device was also present? For example, perhaps taped to the laptop, or maybe jotted down on a notebook (the laptop case was stolen, too…those have space for a notebook).
Or perhaps, instead of using full laptop encryption solution, the department had only used file encryption? If so, there could be a risk since it can’t be guaranteed that unprotected, sensitive files do not exist on that laptop.
Or maybe the department is just being overly cautious.
On the face of it, though, I must remark that this particular breach doesn’t seem like one where a breach notification is necessary. As it stands, it seems like a whole lot of fear mongering.
Related Articles and Sites: