PC Data Security Blog

Security News Brief: 10-22-08

• Study shows biggest threat to data security comes from the inside. 80% of respondents to the survey said they’ve had at least one data breach this year. 58% of breaches come from mobile devices, including laptops, PDAs and memory sticks. (Dark Reading, Oct. 9, 2008)
• Over half of British companies have lost data. Two-thirds of respondents said negligence was the cause for the data breach in their company. (Computerworld, Oct. 10, 2008)
• Stolen laptop in W.Virginia contained personal information of over 500 state workers. The laptop was stolen from the vehicle of an employee of the state’s accounting firm. (The Charleston Gazette, Oct. 7, 2008)
• Laptops stolen from Boston ACORN office. Police were investigating a break-in at the office of the community activist group. (WBZtv.com, October 17, 2008)
• Newark TSA employee accused of stealing 31 laptops from passenger baggage. Pythias Brown was finally caught when he allegedly stole a $50,000 camera from an HBO crewmember and a camcorder from the bag of a CNN employee. (New Jersey Star-Ledger, Oct. 7, 2008.)

Security News Brief: 10-03-08

• New federal law targets ID theft and cybercrime. The bill lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. (Security Fix, October 1, 2008.)
• Laptop stolen in break-in at McCain campaign office in St. Louis. Campaign officials said the laptop contained information about areas that Republicans are targeting for support. (STLToday.com, October 2, 2008.)
• October is Cyber Security Awareness Month. (Network World, October 3, 2008.)

Security News Brief: 09-09-08

• UK security expert asks, “Why bother holding up a bank when you can steal a laptop?” after Bank of Ireland and the Department of Social and Family Affairs expose personal information of over 500,000 people in separate laptop theft cases. (Sunday Business Post, September 7, 2008.)
  
• Erie County laptop stolen from a health facility in Buffalo, NY contained personal private information of county residents. (WBEN Buffalo, September 5, 2008)
• Laptop with personal data stolen from National Technical Institute for the Deaf. The data contained the names, birth dates and social security numbers of 12,700 applicants to the NTID and another 1,100 people at the Rochester Institute of Technology.  (Democrat and Chronicle, August 31, 2008)
• Ohio school district laptop with student data stolen from Reynoldsburg school employee’s car. The breach affected 4,259 students enrolled in the district. (Columbus Dispatch, August 29, 2008)

Relying on user compliance is risky business.

Most of us have become desensitized to the almost daily reports of laptop loss or theft. Heck, I barely notice them anymore - and I’m in the industry! What blows me away though, is the boilerplate mantra from the spokesman of the at-fault company when defending their indefensible position with the media. Always well-rehearsed and nearly believable, those statements are derived from the now necessary PR outline, “CYA: Laptop Loss, What to Say to the Press”. I happen to have found this early version used in 2006 by a very large aeronautics manufacturer. It has been used and personalized hundreds of times since by companies big and small. Here it is:

“CYA: Laptop Loss - What to Say to the Press”

(note to spokesman: whenever possible try to assign the loss as a theft. A simple loss implies that the user may have been flippant, careless and/or negligent).

1.    (your company name) is very concerned about protecting the privacy of its employees customers and/or clients.

2.    (your company name) has no reason to believe that the laptop was stolen for anything other than the hardware value

3.    The laptop was protected with passwords

4.    The employee of (your company name) is being reprimanded (or terminated) for violation of data security policy. Cite one of these policy violations:

a.    employees are prohibited from taking sensitive data outside business walls on laptops

b.    employee shared or otherwise exposed passwords and/or login credentials

c.    (your company name) has selected, and is in the process, of deploying encryption but have not yet completed the rollout

d.   if possible, assign blame to a rogue contractor, vendor or service provider. This action tends to confuse readers as to whom is really at fault for the breach

5.    Reiterate that “because (your company name) is very concerned about protecting sensitive data,” better and more strict employee (or vendor/contractor) data policy will be effective (fill in reasonable time schedule).

Continue reading Relying on user compliance is risky business….