Desktop Encryption: LA County Encrypts All Workstations, Will Require The Same From Contracted Agencies.
It escaped my notice, so I’m opining on this three weeks late – to be honest, a quick search seems to indicate that almost no one covered this particular development – but Los Angeles County has moved to up their data security by pursuing workstation encryption, as seen in this motion. All I can say is, “Finally!”
LA County and All Contracted Agencies
According to the latimes.com, this latest move by the Los Angeles County comes after the Sutherland Healthcare Solutions data breach from February 2014. Over 342,000 people were affected when someone broke into Sutherland’s offices and stole eight desktop computers. Sutherland was handling medical billing and collections for LA County.
The breach has resulted, so far, in three lawsuits against the county and the healthcare solutions provider.
Workstation Encryption Originally Not Included
One of the surprising things that I uncovered is that LA County specifically had required all laptop computers to be encrypted:
On May 8, 2007, the Board of Supervisors approved Policy # 6.110 – Protection of Information on Portable Computing Devices, which requires all laptop computers to be encrypted. This policy should be extended to include the encryption of County departments’ computer workstation hard drives to increase the level of protection of confidential/sensitive data including personally identifiable information and protected health information.
Why just laptops; why so restrictive, if you will? Then I see the date, and realize that smartphones and tablets weren’t as prevalent on May 8, 2007. After all, the first iPhone didn’t make its debut until nearly two months afterwards (and the iPhone wasn’t immediately the surprise hit we think of today. It took the 3GS to really make its mark).
Plus, the policy name is “Protection of Information on Portable Computing Devices” so it makes sense that workstations were excluded. But why weren’t external hard drives a cause for concern back then? USB flashdrives were everywhere, and already making their mark in the data breach world. So… a little restrictive.
And that still doesn’t answer why desktop computers were taken out of the loop.
The Obvious Step
Encryption on desktop computers is….well, it should be obvious that one needs it. I just don’t understand this cognitive dissonance when it comes to desktop encryption, as I’ve often pointed out.
There was a time, before the naughts (that is, 2000’s), when a desktop computer was a heavy, complicated affair. Hooking up a monitor cable to the computer – and possibly the mouse as well, if you didn’t have a PS/2 port – involved two screws. The chassis was at least the size of a microwave oven (I was going to say VCR, but those aren’t around anymore, either). It weighed enough to make things uncomfortable. Quickly stealing one of these contraptions would have been a bit challenging, although not impossible.
Enter the naughts and the craze for miniaturization. The RAZR came out. DVD players laid waste to VCRs. MP3 players knocked over DiscMans. And workstations became these tiny things. There are college textbooks that are heavier and bigger than desktop computers. And yet computer and IT departments across the world still acted as if workstations hadn’t changed since the naughts. Quickly stealing one of these contraptions wouldn’t have been challenging in the least. Just unplug all USB ports (takes less than 15 seconds) and slip it into your backpack. Heck, slip two – they’re that small.
Companies, agencies, and other organizations that make a point to exclude desktop computers from their disk encryption plans today are making a big mistake. The “physical security” that used to make them “safe” is not there anymore. New laws and regulations have introduced and increased compliance risks. The value of personal, sensitive data has also increased the risks of a computer being stolen.
Will others follow in LA County’s footsteps? Or will they, too, wait for the stuff to hit the fan before doing something about it?
I toss my hat in the second ring.
Related Articles and Sites: