MyLaptopGPS

On November 6th, the North Carolina Department of Health and Human Services (DHHS) announced that an Aging and Adult Services Division laptop was stolen sometime during the flight of an employee who was returning from a conference in Atlanta, GA.

In an article in Medical News Today, the NCDHHS assured that the laptop was password protected. However, passwords are easy enough to get around. Data encryption would be significantly more effective.

NCDHHS mentioned that the laptop contained the personal information of some of the clients receiving home and community services from the state. The Division of Aging and Adult Services (DAAS) has contacted each of the individuals whose information may have been compromised. The letter also provides guidance on how to place a fraud alert on your credit report, and how to monitor your credit report regularly as the victims’ sensitive data may not be used immediately.

Unfortunately, most of the victims in this incident are, in fact, elderly, and are only as familiar with the internet as anyone else in that generation. So the notifications, though helpful, create more of a hassle than any data encryption technology could possibly impose. The phone calls necessary for just ONE elderly individual to receive the proper credit coverage take hours at best.

And this extreme time-wasting issue could have been resolved easily had the stolen laptop been equipped with security technology such as that provided by MyLaptopGPS.

About 107,400 patients of Baylor Heath Care System, a Dallas-based system of hospitals and outpatient centers, are being notified of a recent laptop theft.

According to Jaikumar Vijayan’s article in Computerworld Security, approximately 7,400 patients’ Social Security numbers were stored on the laptop, along with data on an additional 100,000 people whose information did not include SSNs. The additional 100,000 people’s records contained a “limited amount” of health information, Baylor said in a statement issued November 4, 2008.

The first irony of this theft is that it occurred in mid-September. Yes, two months ago, a laptop was stolen, and no one was notified until about a week ago.

Second, the theft occurred on the cusp of the installation of new encryption technology and laptop-tracking technology.

Third, the entire situation could have been avoided had someone from Baylor been cluing into this blog about two months ago, and realized the simplicity of MyLaptopGPS’s laptop tracking system.

Instead, over 107,400 people are monitoring their credit reports and crossing their fingers that none of their sensitive data is in the wrong hands.

After the GOP Laptop Theft a few weeks ago (see the entry here), everyone should have tuned in to the election (well, you should have done that anyway) and paid special attention to Missouri.

And if you had your eye on Missouri, you might not have noticed the little blip in Charlottesville, Virginia. As reported by Henry Graff at NBC29, two laptops were stolen sometime in the middle of the night on Tuesday, after the polls had closed but before a team came to retrieve the laptops.

Combined, the laptops contained Voter Registration information for everyone registered in the city of Charlottesville. They contained names, addresses, dates of birth, and DMV identification numbers of everyone in the system.

The head of the electoral board in Charlottesville explained to NBC29 that it’s “standard protocol” to leave election equipment behind overnight. Generally, a team comes to collect the equipment the next morning.

The cinder block through the window of the Tonsler Park Polling Station beat them to it, it seems.

The vendor supplying the polling software claims to have run all 25,000 names registered and none of the names were paired with Social Security numbers. Still, the laptops remain lost, and Crime Stoppers had opened a hot-line for anyone with information on the break-in.

MyLaptopGPS, anti-theft software, and even simple security measures like laptop locks could have prevented this theft.

Forty-five percent of data breaches in Australia are attributable to lost laptop computers, reveals this report of Symantec Australia’s Data Loss Prevention Survey. As if that weren’t bad enough, nearly 80 percent of 156 major Australian organizations experienced some form of data breach during the five years immediately preceding Symantec’s survey of them. Additionally, just shy of 40 percent experienced between six and 20 known data breaches during the same time period — and the costs associated with these breaches have been, in many cases, astronomical.

The numbers are, of course, staggering. What’s more, customer records went missing at the highest rate (55 percent), followed by intellectual property (43 percent), credit card details (21 percent) and financial information (20 percent).

And, again, this is just in Australia. What’s the story elsewhere? Well, as far as security is concerned, it’s not that good.

According to a study from the Verizon Business RISK Team of 500 security breaches that occurred between 2004 and 2007, most organizations seem to lack the capacity even to know when a breach has occurred, even though most breaches are seen as easily achievable: Sixty-six percent of breaches, for instance, affect data that the organization does “not know was on the system,” three-quarters of breaches are “not discovered,” and a commanding 83 percent of breaches are “not highly difficult” to conduct.

And, amid the confusion and, frankly, bumbling practices, the number of breaches continues to mount, last month already surpassing last year’s total. Between Jan. 1 and Sept. 30 of this year, the total number of data breaches was 516, according to an ongoing tally by The Identity Theft Resource Center® (ITRC) announced on Oct. 6. The ITRC’s total for 2007 was 446 breaches, which suggested that the final number for 2008 would dwarf last year’s.

So, we have a picture: rampant data breaches; ineffective, nonexistent, or just plain clueless security practices; and laptop computers playing a key role. But security measures for mobile computing equipment don’t have to be difficult or too expensive to implement; they can be as simple and effective as laptop tracking from MyLaptopGPS.

Researchers at Carnegie Mellon University related in their September study that breach-notification laws have only reduced identity theft by about 2%. This is a pretty alarming statistic, considering more than 40 states have adopted the law. Now, Nevada legislation is working to nudge that statistic up a bit with its newly enforced data encryption law.

According to Ben Worthen’s article in the Wall Street Journal, Nevada is the first state (Michigan, Massachusetts and Washington plan to follow suit) to adopt laws that will force businesses “to revamp the way they protect customer data.” The law requires all businesses to encrypt personally identifiable customer data that are transmitted electronically.

However, this law does not just affect Nevada businesses. It spiderwebs out to all out-of-state companies with operations or customers in the state. National Life Group, based in Montpelier, Vermont, is one of thousands of companies that are scrutinizing the new law. Information Security Officer Andrew Spiers told WSJ, “We do business in all 50 states so we’re definitely reviewing [the new security laws].”

Though some companies are frowning upon this addition — which is going to be quite costly (especially in the country’s current financial crisis) –others are nodding to the money that this new law will save them in legal fees. The law dictates that all companies with the encryption in use are only liable for up to $1,000 in damages to each customer involved in a data breach. Without encryption, companies are liable for any potential lawsuits, including the added charge of negligence since they failed to cooperate with the newly passed law. In the long run, having the new data encryption can save billions of dollars in legal fees, though up front it will be slightly costly.

The Massachusetts state government estimates that a business with 10 employees will need to spend up to $3,000 starting out, and another $500 a month to comply with the encryption law. Larger companies assess costs to be the same per employee.

While they’re still on the data security subject, it would be wise to add a service like the laptop tracking provided by MyLaptopGPS — because despite encryption policies, laptops will inevitably be stolen. It’s better to have the encrypted data back in the right hands than floating around cyberspace somewhere with no way to recover it.

So, Nevada… think about that little addition.

The Victory Office of the Republican Party might have received a low blow about two weeks ago.

Richard Adhikari’s article on the Internet News website details a laptop theft from the Independence, MO Republican Party Office. The laptop belonged to regional coordinator Brian Johnson, who noted that the laptop was password protected, and likely the laptop had strategic campaign information stored on it.

The laptop theft in Independence could have easily been dismissed as a random, unsolicited act; however the thief (or thieves) removed the original laptop and replaced it with another, allegedly to mask the theft. However, Tina Hervey, director of communications for the party, commented that “the Dell laptop that was stolen was black, and they put a smaller, white laptop in its place.” Clearly there was a lack of planning on the part of the thief.

When asked to comment, the McCain-Palin campaign declined to respond.

Though the laptop was password protected, security professionals will stress the importance of data encryption rather than merely password protecting data. It’s an added security measure that can make all the difference, especially in cases of laptop theft.

Though Hervey and the Republican Campaign did not explicitly point fingers, she did let slip, “We’re not pointing fingers or jumping to conclusions, but, when you have an office that had at least 25 computers in it and only one was stolen, it makes you think.”

With more secure measures, such as those provided by MyLaptopGPS, all of the sensitive strategic information on that laptop could have been recovered.

Now, everybody tune in to the general election once Missouri starts voting, and let’s see if the Dems have a peculiar head start.

Suppose you’re one of hundreds of thousands of pensioners from various companies and your data has gone missing, along with a company’s laptop, to thieves. You’d want to know about it, right? Well, you might be at the mercy of that company’s apparently lax internal policies for reporting the theft of mobile computing equipment.

In September, a laptop computer belonging to the UK offices of Deloitte went missing to thieves. On it were data records for approximately 100,000 pensionsers, reports SecurityPortal.com — or as many as 150,000, depending on where you read about it. And yet, SecurityPortal.com notes, the employee allegedly responsible for losing the machine waited until mid-October to inform the company of the incident.

That seems like a long time. Anyway, what are the implications of the theft?

A Deloitte spokesperson, quoted in ITPRO, has reassured those affected that information, protected by “a start up password, operating system user ID/password authentication, and encryption,” should remain safe and out of thieves’ hands.

And Deloitte is probably right about that. Even so, the lag of time separating the event from the employee’s reporting of it to superiors within the company is worrisome. Furthermore, the threat of lawsuits, or even the responsibility of having to inform all those affected, could cost any company in such a situation dearly.

It’s too bad, really, that more company laptops aren’t equipped with an inexpensive laptop tracking service. If they were, they’d enjoy a miniscule 0.4 percent rate of theft — much, much lower than the average: 12.5 percent.

In the spirit of last night’s Vice Presidential debates and the Presidential debates to come, it’s only appropriate to talk about foreign policy.

Not the United States’ foreign policy… but the “foreign” policy of the friendly Brits across the pond.

This past Sunday, a laptop computer was reported stolen from a home in Greater Manchester. The article by the Telegraph tells that the home is currently rented by MI5 security services. Though the article reassures, “Police said the files were encrypted — making them impossible for anyone to access,” it’s nonetheless easy to worry about the machine falling into the wrong hands: the MI5 laptop contained anti-terror files, after all. Even the remote chance of nefarious folks gaining access to these files summons the specter of irreparable damage befalling any anti-terror knowledge the UK has already gained.

Thankfully, police believe this act was an “opportunist theft” and that the house and laptop were “not targeted.”

To their detriment, the Ministry of Defence recently admitted that 658 laptops have been stolen over the past four years. Most recently, however, an MI6 agent sold a digital camera on eBay that contained not only images of potential terror suspects, but their names, fingerprints, and, furthermore, images of rocket launchers and missiles.

It seems the UK needs to tighten up security measures in its government. Even with simple registration on the MyLaptopGPS website, all of this sensitive information could be recovered.

With the United States facing a financial slump rivaling that of the Great Depression, it comes as no surprise that US citizens have little interest in what’s going on up north. However, up in Montreal, there’s another situation altogether.

In late September, National Bank of Canada reported a laptop that had been stolen. In the Reuters article written by Lynne Olver, the bank’s head office commented that “the risk of fraud or identity theft was ‘minimal.’”

Later in the article, Denis Dube –spokesman for the bank– said names, addresses, and bank reference numbers for its mortgage customers were in the database on the laptop, though the bank declined to mention exactly how many clients are affected.

As the sixth largest bank in Canada, they’ve got a bit of informing to do. The bank claimed it would “protect clients by informing them quickly about the event.” The bank suggested that clients report unauthorized transactions in accounts, and promised that any damages would be compensated if necessary.

Fortunately, according to Dube, no personal data such as social insurance numbers (equivalent to the US’s Social Security program) or credit information were stored on the laptop.

Regardless of the so-called “minimal” risk of fraud and identity theft, it’s amazing how easily any technologically adept individual could access the laptop and the files. And with important information such as bank reference numbers at stake, it’s highly unlikely that this theft was merely a random crime.

The National Bank of Canada could have avoided this upset altogether with proper security measures. The simple registration of any laptop online at the MyLaptopGPS website ensures the protection of secure files like bank reference numbers.

Well, maybe next time, eh?