Recently in Nashville there was one of those major security breeches that happened as the result of too much information being on a portable computer drive. In this specific case a laptop was stolen from the Nashville Election Commission with what I think was the entire voter registration database (social security numbers and all). There is a large community of people who are shocked and appalled by this incident. While it is appalling, I am in no way surprised.
I no intimate knowledge of the specifics in this case, but I see the possibility for cases like this all of the time. The issue arrises because people need access to sensitive data in order to do their jobs. Some times the organizations don’t have the resources (financial, knowledge, and/or time). More often the organization doesn’t have the willingness, and by “the organization” I mean the people who work at the organization. What do I mean by willingness? Data security is not just about policies and network topography, it is also comes with many inconveniences.
When something like this happens there tends to be an uninformed mob that wants heads to roll. The thing is, this doesn’t happen from a single mistake, it happens from a long series of errors in judgement that come from thinking security is someone else’s problem. Even well intentioned and diligent organizations have a hard time maintaining the kind of data security that prevents someone from walking away with a laptop that has access to sensitive personal information.
A large part of the people I know professionally are walking around with laptops that could make headlines if they were stolen and people realized what was on them (or what those laptops had access to). The thing is that for the most part, we couldn’t do our job without that kind of access.
That is not to say that solid information security is impossible; it can be done. It is hard work and reduces the efficiency of the organization. It requires everyone in the organization and it can cost a lot of money.
It sucks, but personal data theft is a fact of life now. Prepare accordingly.
BTW, steal my laptop and I will kill you with my bare hands.
4 Comments
Too true. On the other hand, better protection of sensitive data sometimes just requires better application of common sense — like not leaving your laptop out in plain view of an exterior window while your building and it’s surroundings will be vacant for a week or more, especially if said laptop contains the name, address and complete SSN of 337,000 people.
This particular class of information security problem is fairly easy to solve. PGP Whole Disk encryption or TrueCrypt, et voila.
Unless the laptop was not shut down and was only in hibernate. At that point disk encryption is a moot point.
And especially if the username and password are taped to the top of the laptop. No amount of encryption and other security layers will overcome poor security practices.
The problem with this theft (as in most thefts of information) was the human element, specifically the Metro Election Commission staff’s near complete disregard for sound security practices and for the value of the information with which they were entrusted.