According to databreaches.net, Warren County Community College is alerting students of a data breach. Apparently, a laptop computer that was not secured with drive encryption software like AlertBoot has gone “missing.” Due to the possibility of theft being involved, students affected by the breach are being notified.
Updated (04 NOV 2011): More news outlets are reporting on the breach. More at the end of this post.
Stolen Off Campus
The public breach announcement found at the Warren County Community College website is quite meager on the details. While we have a what and a when, we have no who, how, where, and why. We know a laptop computer went missing around September 27.
On the other hand, if it was actually stolen or not; who instigated the breach; why the laptop was taken off campus; whether authorization was given to take the laptop off campus; and other details are just not there.
We also know that student names and Social Security numbers of “some current and former students” was in the password-protected laptop. (Password protection is not laptop encryption: it doesn’t provide real security). Whether the “some” in this case refers to a number around 3, or is used in some colloquial way, is not known.
I imagine it’s the latter, since there’s absolutely no way any organization would public note that three people were affected by a data breach.
In fact, the New Jersey law covering issues of breach notifications, the New Jersey Identity Theft Protection Act (N.J.S.A. 56:8-163), notes that a publicizing the breach is acceptable if the cost of notifying people would exceed $250,000 or involves more than 500,000 people.
Not a Big Breach?
That being said, it doesn’t appear that $250,000 or 500,000 people are involved. The reason? The law revolving around public posts of breaches notes (my emphasis):
3) Substitute notice, if the business or public entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business or public entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
(a) E-mail notice when the business or public entity has an e-mail address;
(b) Conspicuous posting of the notice on the Internet web site page of the business or public entity, if the business or public entity maintains one; and
(c) Notification to major Statewide media.
That is, Warren County Community College would also have been forced to send emails and to alert local news outlets. I don’t see this reported anywhere but the databreaches.net site, which I’m pretty sure it’s not considered “major Statewide media.”
Of course, it could mean that Warren County Community College hasn’t quite complied with the law to a T. Or, that local news media are being pretty slow about reporting it. Or, that Google News and other news aggregator sites didn’t deem the issue to be news worthy.
It could also mean that the college is going above and beyond the law, in an effort to be more transparent: the number of students affected is actually pretty small, but they decided to go public with it.
This is a cheap shot, especially as a concluding statement, but if the college really wants to go above and beyond, they’d have ensured that the laptop in question was protected with encryption software. The real point behind the notification laws is to prevent milk from being spilt by waving a giant stick, not forcing people to cry louder than the other guys when it is spilt.
Well, it looks like local news was slow about reporting about the breach. At least four websites are reporting about the Warren County Community College data breach and we now have access to more details:
As many as 5,461 people could be affected (current and former students, and applicants) (nj.com)
The laptop computer belonged to an employee working with the Financial Aid office
The information went back “a couple of years”