Update on June 7: There’s news that the Office of Personnel Management was hacked and the unencrypted personal data of 4.1 million current and former federal employees was accessed. It has been nine years since an unencrypted laptop and hard drive containing sensitive data on 26.5 million current military personnel, veterans, and their spouses were stolen from a Department of Veterans Affairs’ employee’s home. That security breach led to a push for the use of encryption throughout the federal government, and I hope this breach leads to stronger data protections.
For years, security and privacy professionals have been urging companies to encrypt their data so that when there are security breaches, there is less damage to individuals whose data is accessed. Yet we continue to read reports about companies failing to use this basic tool to secure information.
For example, California-based U.S. Healthworks recently revealed (pdf) that a password-protected yet unencrypted laptop was stolen from an employee’s vehicle. The health-care service provider told employees, “We determined that the laptop may have contained files that included your name, address, date of birth, job title, and Social Security number.”
Financial services company Sterne Agee and Leach was recently fined $225,000 and required to review its security protocols by the Financial Industry Regulatory Authority after a 2014 incident where a Sterne Agee employee lost an unencrypted laptop after leaving it in a restroom. The laptop included “clients’ account numbers, Social Security numbers and other personal information,” according to a news report.
Also recently, payroll-processing firm Heartland Payment Systems announced (pdf) that password-protected computers containing customers’ personal data were stolen from its California offices. “One of these computers may have stored your Social Security number and/or bank account information processed for your employer,” Heartland said. It is likely that these computers were not encrypted, because Heartland did not say the data was protected by encryption, and the company later said, “Heartland has already encrypted most computers, and as we integrate acquisitions, Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, PII or payment data.”
And last year, the U.S. Department of Health and Human Services Office for Civil Rights fined two companies for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after unencrypted computers were stolen from them. The companies are Concentra Health Services of Missouri and QCA Health Plan, Inc. of Arkansas. “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices,” the OCR said.
On a side note, it’s interesting that two of these companies are California-based, which means they are subject to the state’s strong laws on privacy and data breach notification. If you’ll recall, the public learned in 2005 of ChoicePoint’s sale of sensitive data to criminals because California’s security breach law demanded it; federal law did not.