Wednesday, August 1, 2007

Do you care? - Aflac lost laptop



I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07


And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was.  I immediately assumed the worse, shook my head, and clicked on the link to read a little more.  You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1.  A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details".  Bad news, right?  Read on...

2.  "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it".  Amen!  Encryption if properly managed can make it nealy impossible for a third-party to access the data.  I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop.  Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data.  Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press"  Why?  Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted?  Maybe a reader can help me out here.  If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion.  Kudos to Aflac for using encryption on laptops!

No comments: