According to milforddailynews.com, 3000 students who receive Medicaid reimbursements had their personal information compromised. The data breach occurred when a laptop belonging to Multi-State Billing Services was stolen from an employee’s vehicle. The use of full disk encryption would have prevented the data breach; furthermore, seeing how this took place in Massachusetts – and involved MA residents – it would have prevented an investigation under one of the most stringent personal data privacy laws in the contiguous US states.
Stolen from a Car
Multi-State Billing Services (MSB) admitted in a letter to the students’ parents that a laptop containing “information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts and 446 students in Vermont” was stolen in May. Apparently, someone broke into a locked car and stole the laptop computers, which was “password protected but not encrypted.” Personal information, including Medicaid IDs and SSNs were stored on the laptop.
Multi-State Billing Services is offering to reimburse credit security freezes for the next three years. In addition, they have instituted new computer security policies that include the use of encryption software on laptops.
The Probability of ID Theft
This is what the general counsel for MSB had to say:
“We believe that the likelihood of exposure of the student records is low… The nature of the theft suggests that the perpetrator had no interest in, or awareness of, this data.”
This was backed up by milforddailynews.com, which noted that:
The local police have called the theft of the laptop “random,” according to MSB, which believes the laptop was stolen for resale.
Well, isn’t that hunky-dory? The problem with this particular assessment is that, honestly, there is no way to know. How many laptops stolen from cars are sold immediately? We don’t know. How many have their data copied before being sold? We don’t know. How many steal a laptop knowing the information on it is more valuable than the hardware? We don’t know.
Also, consider this: even if the rate at which laptops are stolen for their data is at 49%, technically, it doesn’t make you wrong or an idiot to believe that the laptop was stolen for resale (at 51%).
Massachusetts has “Onerous” Encryption Laws
What I find most surprising about this entire story is that MSB decided not to use encryption on the employee’s laptop despite the fact that it contained personal information. Based on what I’ve read, the implication appears to be that the employee didn’t act waywardly by storing that data on the now-stolen device… meaning that MSB has now broken a number of laws.
Massachusetts, for example, has one of the most stringent data protection and data privacy laws in the country. 201 CMR 17.00 requires that laptops with sensitive data be encrypted. Let’s revisit that sentence, shall we? It is required that the information be encrypted. Furthermore, it specifically notes that password protection is not an acceptable substitution to encryption.
The potential cost for not following the letter of the law? $5,000 per violation, although there’s a contention whether “per violation” means that it’s $5,000 per laptop or per person. If the latter applies, that’s $15 million that MSB is facing in penalties (and the state is not exactly reluctant to go after companies).
Plus, there’s the question whether the company will lose their contract with Milford Public Schools. All in all, not using encryption was a terrible decision.
Related Articles and Sites: