Most of the data breaches in the news are from large companies like Sony and Zappos, who collectively had almost 150 million records compromised in 2011 and 2012. Most of the actual data breaches are from smaller companies or compromise fewer records. Unfortunately like all statistics, if you or your company are affected, it doesn’t matter the size of the breach of company. You are at risk.
Two smaller but significant events occurred recently to illustrate this.
On December 28, 2012, the US Department of Health and Human Services (HHS) reached an agreement with the Hospice of North Idaho to pay $50,000 for violating the Health Insurance Portability and Accountability Act (HIPAA). That’s a lot of money for a small non-profit organization. The incident involved losing a laptop containing personal health information (PHI) on 441 patients. Since the data was not encrypted, the loss violated HIPAA rules. The laptop was stolen from a hospice worker’s car, and although the thief was apprehended, the computer was not recovered.
According to a press release on the settlement, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said HHS Office of Civil Rights Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Another event occurred this week involving Atlanta-based Oldcastle APG, Inc. The company informed the New Hampshire Attorney General’s Office that a laptop containing over 5,000 employees’ names, Social Security numbers, and bank account information had been stolen from an employee’s car. The notification letter sent to the Attorney General and employees said the company believes the laptop was stolen for its own value and that no personal data was compromised.
Both of these incidents show that it doesn’t matter who you are. You may have personal, sensitive and confidential information stolen and have to inform authorities and the victims of the data breach. This costs time money, and probably hurts your reputation. If each company had simply encrypted the data, there would be no event. Under HIPAA and other regulations, there is no data breach if the data is encrypted, since the data is not in a useable or readable format.
The Hospice of North Idaho, as part of its settlement, is encrypting all laptops, enforcing stronger passwords and training its employees on security measures. Its unclear what will happen in the case of Oldcastle APG, but those are a good start.
As an added measure, the companies should think about encrypting the documents with a persistent security policy that worries more about the information than the device or perimeter. Full disk encryption for the laptop is important, but if the thief cracks the password, the information is wide open. Applying a data-centric approach to secure the information itself is a better solution, since the company can control it no matter where it is.
Large and small companies are vulnerable to stolen or lost mobile devices with sensitive information. Encrypt the information so you aren’t the victim of a data breach.
What ideas do you have to protect your information?
Photo credit iandeth