Lessons to be Learned from Recent Data Security Breaches
Recently, the Department of Veterans Affairs reported that a laptop containing the personal information of 26.5 million veterans was stolen from an employee’s home. The data included names, social security numbers and dates of birth. The now ex-employee was not authorized to take the data home. This is just the latest in a continuing string of data security breaches.
What are the lessons to be learned? The first lesson is that the individual concerned is no longer employed at the VA. Secondly, UM employees should not be copying confidential data onto laptops or other portable storage media (USB drives, CDs) unless there is an unavoidable need, this need has been approved by appropriate University management and most importantly, suitable safeguards have been implemented to protect this data.
Defense in depth is an information security principle where multiple layers of security are applied to the underlying data. The number of layers and the strength of each individual layer should be proportional to the sensitivity of the data. The idea is that if one layer of security is breached, another underlying layer may still serve to protect the data. Let us apply this principle to a practical application – protecting a laptop with sensitive data on it.
The very first issue is “Do I really need to save confidential data on my laptop, and what would happen if an unauthorized person gained control of this?” What kind of data is stored here? Identifiable health data? Confidential financial information? Account numbers and passwords? Social Security and/or credit card numbers? Unpublished research papers? Sponsor names and contract details? Clinical trial details? Proprietary designs or undisclosed inventions? Benefactor names? Course grade results? Staff member reviews? Decryption keys or passphrases? Application and server passwords? There are laws, both federal (e.g. HIPAA, GLBA, PCI, FERPA) and state (e.g. social security number use, credit card exposure) where the University could be held liable if confidential information is compromised. Weigh the consequences before saving or copying confidential data and ask if it is really necessary to store it on your laptop or other mobile device. Leave data on university servers as much as possible and do not copy sensitive information to the mobile device.
Assuming there is a legitimate, undeniable need then permission/approval must be sought and the conditions under which the data can be copied to the laptop should be explicitly spelled out by the owner of the data. Secondly physical measures should be employed to protect the laptop. Examples of such physical measures are use of a security cable to lock the laptop computer to a large, heavy object when it’s not being transported or otherwise protected. If you are transporting the laptop in your car, then store it in the locked trunk.
Are any of these measures foolproof? Cars can be stolen, homes/offices can be burglarized and cables can be cut. We need an additional layer of protection – a technical safeguard – which is encryption of the sensitive data (or encryption of the entire hard disk of the laptop). In a well designed information security program the data owner would have required the use of some sort of encryption before allowing the data to be copied to the laptop. The thief would be forced to erase the contents or replace the hard drive but the sensitive data would not be compromised.
To see a list of tips for protecting portable data please visit http://www.cnet.com/4520-10192_1-6389240-1.html.
To see reaches please go to http://www.privacyrights.org/data-breach.
Contact your IT support group for details, recommended products and practices for securing laptops and other portable electronic media.
Posted June 21, 2006