Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts
Monday, November 17, 2008
Encryption and the Law
Encryption technology is so commonplace, one might think that it would be required by basically all information security laws and regulations. However, as discussed in the comments to yesterday's post, encryption isn't even required by HIPAA, one of the most well known information security laws on the books. Well, as was the case with data breach notification laws, states are stepping up to fill the void left by the Federal Government. For example, as discussed in this post at The Email Admin Massachusetts is set to implement legislation requiring encryption of personal data for its residents (rule here). It is this kind of law (+ private rights of action) that I was referring to when I said if people want legal protection they should work to get new laws passed. The Federal Government is slow, and generally lags far behind. If consumers really want to make a change, the place to do it is at the state, not the federal, level.
Sunday, February 3, 2008
My Own Personal Data Exposure
Well, last week I got a message from the Georgetown Information Security Office. Apparently, a hard drive was stolen which contained information from students enrolled between 1998 and 2006, as well as some faculty and staff. The message said that no credit card information or other financial data was exposed, but that personally identifiable information of some students (and faculty and staff) was stored on the hard drive. We were reassured that there was no evidence that any of the information had been misused, but were cautioned to place a fraud alert on our credit reporting accounts just in case.
For me, the advice to place a fraud alert was a bit late, since I've had credit monitoring ever since someone (not me) opened a bank account in my name almost a year ago. Of course, I could do more (like place a freeze on my account), but, frankly, my risks are low enough that I don't see any need to it. Of course, there are still two things I'm curious about:
1) Why was the data stored on a hard drive that could be easily stolen (I'm guessing on a laptop)?
2) Why wasn't it encrypted (of course, the message didn't say it was unencrypted, but if it had been, you can bet that would have been mentioned)?
You'd think that in this day and age, an organization the size of Georgetown wouldn't store sensitive data on easily stealable hard drives, and would keep it encrypted as a matter of course.
For me, the advice to place a fraud alert was a bit late, since I've had credit monitoring ever since someone (not me) opened a bank account in my name almost a year ago. Of course, I could do more (like place a freeze on my account), but, frankly, my risks are low enough that I don't see any need to it. Of course, there are still two things I'm curious about:
1) Why was the data stored on a hard drive that could be easily stolen (I'm guessing on a laptop)?
2) Why wasn't it encrypted (of course, the message didn't say it was unencrypted, but if it had been, you can bet that would have been mentioned)?
You'd think that in this day and age, an organization the size of Georgetown wouldn't store sensitive data on easily stealable hard drives, and would keep it encrypted as a matter of course.
Subscribe to:
Posts (Atom)