Reviewing a list of old stories I’ve missed over the past month, I see that a small skin care clinic, Preferred Skin Solutions, based out of Tulsa, Oklahoma has reported a data breach. A computer was stolen, prompting the clinic to reach out to clients. It’s a situation that a simple remedy would have prevented: using drive encryption software like AlertBoot.
However, the story is notable for how the clinic did things right. Which one could say puts larger outfits with better resources to shame.
We Always Shred Financial Information
Thieves broke into the clinic on the night of January 24, 2012 and stole a laptop computer and a CD player. The personal information for more than 400 clients were lost as a result. Thankfully, no financial information was stored on the stolen laptop.
The clinic’s manager had this to say regarding financial information: “We’ve always made a point that we don’t store anything like that on our laptop, and what we do is take their information one time and then we shred their information,”
This is a smart move. The best way to protect data against data breaches is to not store them. Plus, such a procedure makes compliance with PCI-DSS immaterial, as far as data storage is concerned. It’s win-win for everyone, even for clients who face the annoyance of having to provide their information each time they visit the clinic, as subsequent events have revealed.
However, this is a realistic option for businesses where volume is “low.” A company like, say, Walmart could never get away with this without adversely impacting their bottom line.
What About Personal Data?
There is the problem, however, of securing client data. It wasn’t revealed what kind of information was stored on the stolen laptop, but I would assume that at least first and last names were stored, as well as email addresses (clients were alerted of the breach via email).
On the whole, such personal data is not deemed “sensitive” by most, and rarely is such data protected with encryption software. However, seeing how identity theft is rampant across the world, and phishing attempts are made to gain such data on a global basis, it’s always a good policy to keep this information secure. (Actually, for companies with hundreds of thousands of registrants, encrypting email addresses might be more than a good idea.)
Had Preferred Skin Solutions used disk encryption software on their stolen laptop, I would have given them an “A+” as far as data security is concerned.