Shostack + Friends Blog Archive


Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

admit-nothing.jpgThere is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened:

The private health information and Social Security numbers of nearly 4,000 patients of the University of Texas M.D. Anderson Cancer Center are at risk after a laptop containing their insurance claims was stolen.

Patients and patients’ families were notified this month of the theft, which occurred in November at the Atlanta home of an employee of PricewaterhouseCoopers…

“The laptop that was stolen does have sophisticated encryption software, so it will be very difficult for someone to access patient information,” Carrie Lyons, M.D. Anderson’s chief privacy officer, wrote in a Jan. 30 letter. “Even though it will be difficult for someone to access patient information, we feel you should be informed of this incident.”

Since Choicepoint, there’s been a dramatic shift in the way these incidents are perceived. Assertions of caring about privacy have transformed into a moral duty to report, even when the law doesn’t require it. Work to undercut the 21 state laws in place by groups like the American Bankers Association misses the point. When there’s a breach of personal data, the risk is on the citizen or consumer, not on the organization that lost control of the data. The organization has demonstrated that their risk management decisions don’t have the results that customers want.
That means the risk analysis must be done by the person, not the organization. For the person to do the risk analysis, they need to know what’s happened.

We like transparency. We accept apologies (when they’re not tortured or convoluted). We prefer to work with organizations that don’t keep us in the dark, `for our own good.’ Finally, we don’t trust anyone who has lost control of data to get the next analysis right. Whatever bad laws happen to come out of Congress, there’s a new social consensus, and the University did exactly the right thing.

(Via Canadian Privacy Law blog, who nailed the analysis, too. “Motto” photo by Nad.)

One comment on "Analysis of University of Texas, 4,000 encrypted SSNs, Laptop"

  • Chris Walsh says:

    As I was writing my “Leverage” post yesterday, I was going to close it with:
    “In other news, PWC plans to roll out PGP Whole Disk Encryption for Enterprises…”, but I wasn’t sure that they didn’t already have an encryption solution deployed.
    This is good timing. Maybe Google’s CFO already made that phone call ;^)

Comments are closed.