Aegis Sciences Corporation has filed a letter with the New Hampshire Attorney General’s office regarding the theft of an employee’s laptop computer and external hard drive. This is another case where a company has decided to fix its barn doors after horses have bolted. Sure, they’re going to ensure laptop computer encryption is on all of their computers going forward. But why wait until something has happened?
And why just laptops? External drives can be easily encrypted. With AlertBoot, it’s included with the encryption of the laptop.
According to the letter, the laptop computer and external hard drive was stolen from an employee’s vehicle. Off the top of my head, I think this is the most indicated “venue” where laptops are stolen from when it comes to data breach notifications. The letter goes on to note that the employee was “authorized to carry these items” by the company.
Which is problematic because the devices stored,
information related to (i) individuals who were drug tested and (ii) individuals associated with the provision of drug testing services (e.g., collection technicians). The files contained full names, social security numbers, drivers’ license numbers, dates of birth and phone numbers.
Test results and medical records were NOT included. Aegis is implementing security measures and training to minimize similar breaches in the future, including “encrypting all laptop computers.”
One New Hampshire resident was affected. It wasn’t revealed how many were affected in total.
A Good Decision, Limited in Its Scope, A Little Late
As I’ve noted quite often, you can’t fully prevent a data breach from happening. Even if you encrypt all of your data on all of your devices, there’s always that miniscule chance of a breach: inside jobs (data theft), passwords on sticky notes, etc.
Despite this, it’s always a good idea to use encryption on any devices that do or will store sensitive data on it. It’s a matter of risk management: the odds of losing a laptop are much higher than that of an inside job occurring or of someone’s laptop being lost along with the password.
So, Aegis’s decision to encrypt all laptop computers is a good one. Of course, a better decision would have been to do it before the data breach. It boggles my mind that an employee was authorized to carry around sensitive data without adequate data protection.
Also, Aegis might want to revise their policies and actually extend the use of encryption to all external hard drives as well as desktop computers.
For the latter, because offices and homes get broken into all the time. Sure, the odds of a desktop getting stolen are pretty low. However, it’s not unheard of. I recall at least two instances where desktops were stolen in 2011 — and these are only the instances that were (a) reported and (b) found by me. I’m sure there are plenty of incidents that were not reported or overlooked by yours truly, and it happens at a rate significantly higher than twice a year.
For the former, it only makes sense: if laptops are easily stolen, external disk drives are even more easily stolen. It makes no sense to encrypt all laptops but allow external HDDs to go unprotected. With a solution like AlertBoot, it’s quite easy: it’s done automatically (just plug it into an AlertBoot-encrypted computer) and at no extra cost to encrypting your laptop.
Related Articles and Sites: