Catholic Social Services (CSS) of Anchorage, Alaska has issued a press release, alerting their clients that a laptop computer with sensitive information was stolen on February 1, 2011. The laptop was not protected with full disk encryption like AlertBoot, forcing CSS to send out breach notification letters under HIPAA/HITECH.
Contractor to Blame
According to the press release, the laptop was actually used by a contractor supporting the Pregnancy Support and Adoption Services program. The device — stolen from the contractor’s vehicle — contained names, addresses, phone numbers, email addresses, dates of birth, driver’s licenses, health and family history, financial status, and recommendations on whether clients were ready to adopt children.
CSS has noted that it is adopting certain practices, including “employing encryption methods for confidential information.” A little too late: encryption software can only work for you when it’s installed before you have a data breach. It’s not unlike health insurance, where you’re essentially betting that something bad will happen to you in the future (and the companies are betting it won’t, at least not in the foreseeable future).
Then again, CSS did say it was to prevent future breaches.
Too Much Déjà Vu and Other Criticisms
There are many things about this story that, frankly, shows up on your “average” data breach story, aside from deploying encryption after a data breach takes place:
Badly protected client data
Contractor / Third party
A car break-in
Plus, there is this:
Although the laptop has not been recovered, we believe that there is a low likelihood of identity theft. The laptop was password protected and we are uncertain if the information was accessed. However, as with any breach of personal information, some risk does remain.
Dissent at phiprivacy.net stole the words right from my mouth:
Such statements [like the above by CSS, on password protection] reduce the likelihood of those notified taking prompt and effective steps to protect themselves from harm and should be loudly and roundly rejected by every privacy advocacy group and organization.
Not only privacy advocates, but anyone who is concerned about data security. What’s wrong with password-protection? you might ask.
As you can see from the link above, password-protection is a misnomer: it protects your computer’s contents mostly from you. Well, you and other kind-hearted people who don’t know better. However, someone who is hell-bent on figuring out how to bypass password security will find that it’s very easy to do.
This contrasts with bypass encryption which more often than not points out that, well, it’s pretty much impossible to do.
Related Articles and Sites: