PSEG, a NJ-based power company, has notified the New Hampshire Attorney General’s office about a September data breach, according to a letter unearthed by databreaches.net. A break-in into an employee’s home resulted in the theft of a laptop and other items. Apparently, the computer in question was not protected with hard drive encryption software like AlertBoot.
3 NH Residents Affected – How Many More?
According to the letter to the AG, the burglary occurred on September 25. Multiple items were stolen from a PSEG employee’s home, including the aforementioned laptop. Personal information of PSEG employees, including names and Social Security numbers, could potentially have been in the computer. Three New Hampshire residents were affected, although how many were affected in total is unknown.
Although databreaches.net notes that it wasn’t noted whether the laptop was a company-issued one, I can’t help but believing that it was. When the employee found that the laptop was missing, he “promptly reported the incident to the police and appropriate PSEG personnel.”
Generally, you don’t go around reporting the loss of your personal laptop to the company. Of course, we can’t dismiss the possibility that it was the employee’s personal computer, and that he was aware of the presence of sensitive employee data in it — and that’s why he got in touch with the appropriate PSEG people.
If the latter is the case, I applaud the employee: it would have been so easy not to report the incident and let the chips fall where they may.
It’s pointed out that password protection was used on this laptop computer; however, the use of encryption software to protect the laptop from unauthorized access is not mentioned. Password-protection, of course, is not really protection. Why, earlier today I was talking to a computer repair technician who was having problems servicing a computer. Had encryption not been in place, he noted, he could just use a Linux CD to bypass the Windows username and password prompt!
The use of laptop full disk encryption, on the other hand, was preventing him from accessing the computer. (What can I say, but that that’s the point?)
Had encryption software been installed on the now-stolen computer, the fear that employee SSNs would have fallen into the wrong hands could have been dismissed. So, had it?
Normally, I would take the fact that A) a breach was made public and B) the use of encryption is not mentioned, and naturally assume that encryption was not used. After all, many states provide safe harbor from data breach notification laws if proper encryption is used.
New Hampshire is not one of those states. A breach must be reported regardless of the presence of encryption. Maryland, New Jersey, Connecticut, and Delaware, on the other hand, are one of those states. If a notification letter shows up in one of those states as well, I think we can assume encryption was not used.
Related Articles and Sites: