(re) blog: dialogue with Redemtech

The second eye-catching headline appeared in the Ithaca Journal of Ithaca, N.Y., renowned for being the home of Cornell University. The newspaper warned: “Valuable Computer Swiped from Cornell.” I was amused by the use of the word “swipe” to describe the incident, since “swipe” is an old slang term I’d sooner expect to hear uttered in an old Dead End Kids movie from the 1930s.

This time, it wasn’t a physical feature that made the missing laptop “distinctive” or, as the headline noted, “valuable,” but the data inside, not to mention the number of people affected. And that was far from amusing.

Initially, I had to the same reaction to the Ithaca Journal headline as the Chard and Ilminster News article – what makes this laptop so valuable? But even at first glance, the seriousness of this incident was clear: the names and Social Security numbers of about 45,000 Cornell University students, staff and dependents were stolen.

And unlike the UK article where too much information was provided – in addition to the missing keys, the laptop case was said to be covered with stickers! – the article about the Cornell University data security breach could say little about the actual incident. Obviously, the reporter for the Ithaca Journal was frustrated by the explanation offered by Cornell officials. As a former newspaper reporter, I could spot the telltale signs. The article notes that Cornell officials declined to share what type of computer was stolen, where the theft occurred, if the employee responsible for the breach faces disciplinary action or why the theft wasn’t listed on the Cornell Police daily crime log.

Academic institutions and businesses must understand that to refrain from sharing information about a data breach or delay the release of that information only exacerbates the situation and makes the customers impacted by the incident more frustrated and leery of the institution. Yet, there seems to be evidence that many enterprises still don’t want to share.

A new report from the non-profit Identity Theft Resource Center (ITRC) found that the overall number of reported data breaches was down in the U.S. between January and June from the same period last year, which on the surface sounds good. But then the Washington Post article covering the ITRC report explained that fewer than half of the businesses and organizations that disclosed a breach so far this year identified how many total victims were impacted. Consequently, a lower number of breaches does not translate to fewer people being affected.

It is understandable for institutions and businesses to shy away from publicly announcing the severity of data breach incidents, especially when they involve employees losing laptops. It’s definitely bad for business.

A good example of that surfaced this week when it was announced that TJX Cos. Inc. will pay $9.75 million to 41 states for failing to adequately protect customers’ financial information and guard from a massive data breach announced in 2007 that exposed millions of customers’ personal and credit card information. That widely publicized incident wasn’t even an off-network breach and still it proved costly to the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright chains, as the Boston Herald reported this week.

It was definitely a bad week for off-network breaches, lost and stolen laptops especially. Other incidents in the news included:

• Two laptop computers were stolen in a burglary earlier this month from the University of Alberta Hospital. Information on the laptops is said to include names, birthdates, personal health numbers and lab test results for communicable and reportable diseases. The number of people affected: about 250,000 patients

• Irish energy provider Bord Gáis reported that a laptop computer with unencrypted account details, including bank records, was one of four portable devices stolen from its offices in Dublin. The number of people impacted: 75,000 customers

• Also in Ireland, one of 15 laptop computers stolen recently from a Health Service Executive (HSE) office contained unencrypted sensitive personal financial data on people who have approached Irish community welfare officers seeking assistance. The number of people vulnerable to identity theft because of the incident: That information was not available

• The Oklahoma Commission for Teacher Preparation said a computer server with personal information of teacher candidates from 1999 through 2007 was stolen. In this case, the off-network device was recovered by police officials, but as the Tulsa World pointed out in its coverage of the incident, the server had been decommissioned and was in storage when it was taken, so the commission was not even aware it had been stolen until police recovered it. The number of people whose data was potentially compromised: They didn’t say

So here are several illustrations of the gap in reporting data breach incidents. Who fares better, the company that openly admits that a breach occurred, or the enterprise that chooses more clandestine methods?

Perhaps the best example of the ultimate impact of a data breach this week appeared in a CBC News story about the University of Alberta Hospital breach, which had its own distinctive headline: “Security on Stolen Laptops was Inadequate: Privacy Commissioner." Provincial Privacy Commissioner Frank Work said he was perplexed by the news that the data on the stolen laptops was not encrypted. "This is shocking to me," he said, adding: “This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can't provide security for personal information?"