Orangeburg-Calhoun Technical College, known as OCtech, has issued a press release alerting students and faculty that a laptop was stolen from the school’s premises. They make it a point to note that sensitive data on the laptop was stored in a not so “easily recognizable format”; however, it is questionable whether that refers to something akin to managed laptop encryption from AlertBoot.
While encryption software turns information into a format that is not easily recognizable, it’s also true that, technically, information that is stored as plaintext (i.e., easily readable by a person) is also stored in a similar manner. After all, how many of us can read a string of ones and zeroes?
So, is this not “easily recognizable format” a reference to encryption or not? I’m guessing not.
In many ways, OCtech can be excused over the data breach. After all, it’s not as if the laptop was stolen from an employee’s car that was left unlocked, or because somebody mistakenly uploaded the information to an unsecured server. It was a victim to an everyday crime that has been proven to be impossible to uproot since time immemorial.
On the other hand, this one laptop did end up affecting about 20,000 former and current students and faculty members, according to databreaches.net. To make it worse, it turns out that the data was sensitive in nature: among other things, SSNs were stored. Granted, some researchers have found that the price of an individual’s SSN is priced lower than a cup of latte, but its value is much higher, just like the price of a commodity (copper, beef, SSN) is lower than a value-added product (telecommunications cable, steak at a frou-frou foodie locale du jour, IDs that make use of a real SSN).
And what was protecting this valuable information? Password-protection. The so-called “protection” that can be easily compromised via a Linux Distro CD, a Windows recovery CD, slaving the hard drive to another working computer, buying a software program (or service) that can brute force the password, etc. – in other words, not really protection at all.
How Encryption is Different
Unlike password-protection, encryption makes it a point to conceal information. Not only does it make it so “data is not stored in an easily recognizable format,” it converts is so that it is hard to recognize. The difference is night and day.
It’s the reason why most data breach notification laws give a free pass for information that is lost or stolen. It’s the reason why certain countries have laws that give the state to incarcerate people who won’t give up their encryption passwords. It’s the reason why until a decade or so ago, encryption was classified as a weapon that could be banned from being exported (and in some countries, imported).
Had OCtech used encryption, they would have gotten a free pass under South Carolina law. Indeed, it’s this one fact alone (combined with the fact that they didn’t outright mention encryption) that I conclude that the stolen password was not encrypted.
Instead of being given a free pass, now they have notify 20,000 people which is costly in of itself – yes, a lot of postage, but there will also be other expenditures. OCTech willl probably also have to spend time and money in supporting any investigations by the state’s Attorney General. There’s also a pretty good chance that they’ll have to defend themselves against a lawsuit – with 20,000 people affected, you can bet someone’s going to launch legal action against OCtech, regardless of whether it’s meritless or not. (The courts have ruled so far that data breach-related lawsuits can only proceed if people can prove a direct link between the breach and actual harm.)