Maryville Academy, a child abuse services agency in Des Plaines, Illinois, has sent out breach notification letters to former and current clients. The disappearance of three backup hard disks prompted the notifications. It’s a story that shows how physical security is less than ideal when it comes to digital records, and why organizations need to step up their game and start using disk encryption software like AlertBoot.
Nearly 20 Years’ Worth of Records
The three missing hard drives (HDDs) contained, but is not limited to, names, dates of birth, identification numbers, medical information, treatment information, SSNs, and other information that is required in the process of helping abused children. It involved children who’ve visited Maryville between 1992 and January 25, 2011.
The breach was discovered on February 1, 2011. Three backup computer hard drives (external, portable ones) were removed from a locked storage room (chicagotribune.com calls these three drives “three files” but Maryville Academy’s own public notice refers to them as HDDs).
As far as I can tell, it appears that encryption software was not used to secure the data: it wasn’t mentioned in any of the public notices, plus Maryville notes that:
Maryville Academy is now in full compliance with the U.S. Department Health and Human Service’s recommended procedure of using data encryption to protect client’s health information. Maryville Academy has begun a practice using specialized security software to completely encrypt all records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future. [Maryville.org, my emphases]
The implication is that Maryville waited to have a breach before using data encryption tools. It’s not unusual to see such behavior. Generally, it’s due to:
Denial: It won’t happens to us; or,
Lack of funds: funds will be appropriated once something happens and the expense can be justified unequivocally
Physical Security is Important but also a Relic, Needs Support
Maryville’s security practices were probably not too different from what many organizations use when it comes to data security: lock it up. The problem with this approach to data security is that it’s literally “lock it up” and not “lock it up in a safe place.”
But, even if everyone followed the latter to the letter, it bears pointing out that locking stuff up is not necessarily the best security when it comes to data security. What should one use, then? Crypto tools like AlertBoot disk encryption.
Some reply to such a recommendation with “a lock’s worked for centuries. It’s good enough for me.” Can’t argue about locks working for centuries. And, chances are they’re going to be required for centuries to come. And, they do an excellent job of stopping hard drives and laptops from getting stolen. In contrast, encryption cannot prevent the physical theft of an item. Also, computer encryption — or, rather, I should specify modern encryption — has only existed for half a century or so, arguably.
There’s a reason for the latter, though. Computers in their modern format have also existed for about half a century or so. In fact, the only reason why we have modern encryption is because of the presence of computers. Had computers not been invented — with their ability to process incredible amounts of data at instantaneous speeds — modern encryption wouldn’t have been necessary.
It’s a new world out there. It only makes sense to defend and arm yourself with the tools that were developed to combat new threats, which includes encryption for portable devices. (Of course, you also need the tools for fighting old threats as well — those are still here as well.)
Related Articles and Sites: