They say that car break-ins are a crime of opportunity: not even the thieves know when or where it will happen, or which car or what types of articles will be filched. Well, I’ve just run across the ultimate opportunistic crime: Westmont College, in California, has announced that a professor’s laptop computer was stolen while he was “briefly parked at a gas station.”
Naturally, the laptop computer was not protected with disk encryption software like AlertBoot (otherwise we probably wouldn’t be bringing it up on this blog). As a consequence, according to databreaches.net:
a number of applications for the Europe Program and Summer Scholars “and may have contained your name, Social Security number, and other limited personal information contained in your application.”
The number of people affected by this latest data breach has not been revealed, although I can’t imagine it to be a substantial figure (this is not to say that the breach in of itself is not terrible for parties involved): the small college saw enrollments of 1,355 in 2012 per Google. On the other hand, the lack of concrete dates does not proscribe the possibility that it was a 20-year database. (On a laptop? Yep. I’ve read of enough cases to know that it happens. A lot.)
As pondered by Dissent at databreaches.net, why is this still happening in 2015?
I imagine it’s the same reason why you can still find people who balk at using their car seatbelts. And, actually, that’s quite telling. Statistics show that the majority of drivers today use their seatbelts. But this was not always the case. Knowing that people generally don’t change their behavior, how have countries managed to induce people to change their habits?
For one, they passed legislation requiring manufacturers to fit seatbelts in all cars, which was a great idea: you can’t put on a seatbelt if you don’t have one. Second, some countries make it compulsory to wear seatbelts. And last but not least, countries made it a point to serve public announcements. The constant reinforcement had an effect.
Likewise, we may find that a similar strategy is required to change people’s habits when it comes to data security. We are already heading in that direction: after the Snowden leaks, more and more companies are increasingly offering data security features – like disk encryption – as a standard feature in their devices and services. (Interestingly enough, it’s not governments initiating this; they’d rather that the initiative stop in its tracks.)
In addition, countries are increasingly requiring handlers and keepers of sensitive data to secure the information under their management. For example, the use of encryption is showing up as a safe harbor clause from penalties in many laws and industry regulations, furthering its use and increasing the overall level of security. (Another interesting fact: governments are encouraging encryption, which is at odds with their petitions not to make encryption the default on devices.)
Last but not least, people are being educated, however shallowly, about the importance of data security. These are not public service announcements but the effect is the same nonetheless. Whenever I happen on an on-line conversation about data breaches, the comments section are peppered with questions on the use of encryption, whether HIPAA laws apply, etc, by ordinary folk. The message is getting out there.
Still, I can guarantee that stories like Westmont College’s will never stop existing. Just like you can still find people who met their maker because they were not wearing their seatbelts. After all, it’s just too easy:
Related Articles and Sites: