The Titanic’s Anchor was NOT Stolen with Your Data
A steam locomotive, the Hubble telescope and Abraham Lincoln’s stovepipe hat. The Chrysler Building, Mount Rushmore and the anchor from the RMS Titanic. You’ll likely be pleased to know that all of these things were NOT taken in a recent data breach.
In my previous blog, I noted that I’ve been disappointed by some of the trends in news coverage of data security breaches, chiefly when the news media doesn’t question breached businesses when they fail to notify customers or clients whose information was stolen in an off-network data breach. I cited one example, but there are many.
Another trend that this curmudgeonly old newspaper editor finds appalling is a recent rash of articles in which companies that experienced a breach feel compelled to tell the public what wasn’t taken when a laptop or other portable data-bearing device was stolen or lost. “The stolen data did not include addresses or medical contact data,” one spokesperson may be quoted in a news article, glossing over the fact that names, Social Security numbers and financial data were taken with the device.
While these comments at first seem intended to provide a glimpse of reassurance to the people who entrusted that business to secure their personal identifying information, those types of quotes also can be viewed as a way of distracting victims from the real issue – that the security of data-bearing physical assets has been violated and their personal information has been tossed to the wind.
I agree that in some instances when companies let victims know that names, Social Security numbers or financial information were not involved in a breach, it can be reassuring. But most of the news coverage I see aims to downplay the repercussions of an avoidable breach. Businesses are allowed to share only the bare minimum of information that otherwise might help victims know how to respond or could tip off other organizations about the importance of preventing their own off-network data breach.
For example, the same article that features a spokesperson’s quote about a breach not involving addresses or medical contact information may include, further down in the content, a comment like: “The information on the (laptop/hard drive/portable device – take your pick) may have included patient names, phone numbers, insurance code numbers, body mass indexes, blood pressure readings, lab results, long-term diagnoses, medications, lists of allergies, and demographic information such as birth date, gender, race, ethnicity and spoken language.” When I see articles like this, I wonder, “What? No stolen shoe size? No mention of where the person likes to shop for groceries or a list of all the websites they’ve visited in the past year?” Wait. That’s a whole other kind of data security animal.
A recent article in Information Week reported that breaches of protected health information increased 97% in 2011 compared to the previous year. The numbers also revealed that 19 million patients' health records were affected.
So while it may seem ridiculous to note that the Titanic’s anchor is still somewhere on the bottom of the Atlantic Ocean and unaffected by a breach of technology never envisioned when the famous ship set sail 100 years ago, a dramatic rise in the number of reported data breaches should make every business want to find ways to ensure their data is secure throughout the lifecycle of their data-bearing IT assets. Data breaches are an iceberg to avoid.