Here we go again . . . here is an article from ZDNet … NY Bank ‘loses’ 4.5M unencrypted customer records.
And talk about timing – as I was reading that article, Jennifer Stoddart , Privacy Commissioner of Canada, was on BNN TV talking about data loss. She was to the point and articulate and I really enjoyed listening to her. (NOTE: they are fast over at BNN.ca but the clip hasn’t been posted online yet as I write this. But it will be later – check it out!)
At the heart of it all was unencrypted data lost over and over again in the same fashion, for the same reasons. The example she gave was of data downloaded to a notebook pc and then the computer would be stolen out of the car it was left in. It seemed to me that MS. Stoddart said something about hearing this story over and over again. (I’ve seen computers with confidential corporate data on the hard drives stolen right out offices). When asked why companies didn’t apply appropriate security to their data, she replied that it was based on cost. As an example she told us about TJX and how investigation has determined that it had been decided by the TJX executives to not implement tighter security prior to the incident because it would cost too much and would affect their profit. Or words to that effect. It’s all about risk management, TJX gambled – and lost. (Don’t get me wrong, I shop at one of their stores and I really enjoy it – they have some great stuff that you can’t get anywhere else. And by the way, I never use my credit card.)
But I’ve been there too and I quote…”Keeping all data on protected servers is just not in the budget! It’s just too inconvenient to not be able to take my data home (or to a conference or a vacation or where-ever) and work on it. I burn everything to CD’s – it’s my backup in case the IT department misplaces it (or) I delete it by accident!”
Is this a good case for ‘cloud computing’? If data lives somewhere other than a local hard-drive is it safer? What about 8Gb USB memory sticks? Should the IT departments fill up USB ports with epoxy as part of their standard desktop configurations? The bank mentioned in the ZDNet article lost their data back-up tape – should they ship their tapes with armed-guards like they do with money?
I used to read this site all of the time but I got tired of seeing the same things over and over . . . but I still wander by once in awhile just in case my name might be on one of data breaches they report on.
One thought on “Lost: data and personal information”
Thanks to http://www.pogowasright.org for this one:
“32,000 farmers data on stolen laptop”
Two points raised here – unencrypted data on the laptop and the delay in notifying the farmers of the breach.
Many years ago when I was a field tech for a computer reseller I remember hearing that the RCMP was interested in Compaq notebooks but the one feature they wanted was not available – hardware level security that would make the notebook hard-drive totally unusable without the appropriate password. Not just a BIOS/boot password but a deeper and tighter encryption. A self-destruct feature if tampered with. It seems to me that Compaq did come up with a solution – that’s why I heard about it – that was a feature on a new model of laptop computer. What ever happened to that type of thinking from the manufactures. As users we want convenience but from a business perspective we need to protect our information. What ever became of ‘bio-metrics’ as a tool to secure a computer?