Five stolen Florida Department of Children and Families laptops
Technorati Tag: Security Breach
Date Reported:
1/4/07
Organization:
State of Florida
Contractor/Consultant/Branch:
Department of Children and Families (DCF)
Victims:
Daycare workers in Orange, Seminole and Osceola counties
Number Affected:
"Thousands"*
*DCF is notifying about 1,200 day-care providers and their employees
Types of Data:
Names, addresses, Social Security numbers, and "other information"
Breach Description:
Five laptop computers were stolen from a Department of Children and Families (DCF) office near the Orlando Fashion Square Mall on November 7th and/or 8th, 2007. One or more of the laptop computers contained sensitive personal information belonging to thousands of day-care workers in Orange, Seminole and Osceola counties.
Reference URL:
The Orlando Sentinel Story
Report Credit:
Dave Weber, The Orlando Sentinel
Response:
From the source cited above:
Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando Fashion Square mall in Orlando on Nov. 7-8.
there were no signs of forced entry at the DCF office.
[Evan] No signs of forced entry seems to imply that these laptops were stolen by someone who had legitimate access to the office (had keys) or that these laptops were stolen during business hours. You would think that it would be hard to walk out during business hours with five laptops.
the Florida Department of Children and Families is just now notifying about 1,200 day-care providers that their employees, as well as center operations, may be at risk.
The computers contained applications for child-care-center licenses. Centers are required to provide personal information on the applications, including employees' birth dates and Social Security numbers, so DCF can conduct background checks.
[Evan] I'm glad to read that DCF conducts background checks on day care workers. I am all for that. Storing the applications on a laptop computer that is not physically or logically secure is terrible security practice.
Officials said they don't know how many day-care employees' records were on the stolen computers.
DCF wanted to have a complete list of centers before contacting them. She said the agency had 45 days by law to notify those whose records were stolen. - DCF spokeswoman Carrie Hoeppner
[Evan] 45 days from November 8th is December 23rd, but there is also a provision in the law that states "Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation." Maybe law enforcement led to the delay in notification. I would think that a complete list of daycare centers would be available as quickly as it takes to run a simple database query.
the agency also was concerned that the thieves might not realize they had potentially valuable data, and did not want to publicize it.
Hoeppner said she is unaware of any identity-theft crimes resulting from the computer thefts. But she acknowledged that an identity-theft victim may not have considered the DCF theft as the source of their trouble
Victim Reaction:
"They could get information on anybody who works in this place. They could get our Social Security numbers," said Tracey Batchelor, a worker at the Children's Garden Learning Center on University Boulevard in Orlando.
Commentary:
Here is an idea. Collect the necessary information on the application, enter the information into a secured database, then shred the application.
If you can't or don't know how to reasonably secure laptops and other mobile devices, then don't use them. If you can't or don't know how to reasonably secure confidential information, then don't collect, create, store, access, or transmit it. It would be nice if things were so easy, but unfortunately they aren't.
Access to confidential information must be strictly controlled including the restriction from copying to mobile devices (where possible) and use of strong encryption. Anyone who has read about other breaches has heard this all before.
The Florida breach notification statute is interesting and easy to understand:
817.5681 Breach of security concerning confidential personal information in third-party possession; administrative penalties.
"Notification must be made no later than 45 days following the determination of the breach unless otherwise provided in this section."
"Any person required to make notification under paragraph (a) who fails to do so within 45 days following the determination of a breach or receipt of notice from law enforcement as provided in subsection (3) is liable for an administrative fine not to exceed $500,000, as follows:"
"The notification required by this section may be delayed upon a request by law enforcement if a law enforcement agency determines that the notification will impede a criminal investigation. The notification time period required by this section shall commence after the person receives notice from the law enforcement agency that the notification will not compromise the investigation."
"If a person discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices."
Past Breaches:
Unknown
Date Reported:1/4/07
Organization:
State of Florida
Contractor/Consultant/Branch:
Department of Children and Families (DCF)
Victims:
Daycare workers in Orange, Seminole and Osceola counties
Number Affected:
"Thousands"*
*DCF is notifying about 1,200 day-care providers and their employees
Types of Data:
Names, addresses, Social Security numbers, and "other information"
Breach Description:
Five laptop computers were stolen from a Department of Children and Families (DCF) office near the Orlando Fashion Square Mall on November 7th and/or 8th, 2007. One or more of the laptop computers contained sensitive personal information belonging to thousands of day-care workers in Orange, Seminole and Osceola counties.
Reference URL:
The Orlando Sentinel Story
Report Credit:
Dave Weber, The Orlando Sentinel
Response:
From the source cited above:
Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando Fashion Square mall in Orlando on Nov. 7-8.
there were no signs of forced entry at the DCF office.
[Evan] No signs of forced entry seems to imply that these laptops were stolen by someone who had legitimate access to the office (had keys) or that these laptops were stolen during business hours. You would think that it would be hard to walk out during business hours with five laptops.
the Florida Department of Children and Families is just now notifying about 1,200 day-care providers that their employees, as well as center operations, may be at risk.
The computers contained applications for child-care-center licenses. Centers are required to provide personal information on the applications, including employees' birth dates and Social Security numbers, so DCF can conduct background checks.
[Evan] I'm glad to read that DCF conducts background checks on day care workers. I am all for that. Storing the applications on a laptop computer that is not physically or logically secure is terrible security practice.
Officials said they don't know how many day-care employees' records were on the stolen computers.
DCF wanted to have a complete list of centers before contacting them. She said the agency had 45 days by law to notify those whose records were stolen. - DCF spokeswoman Carrie Hoeppner
[Evan] 45 days from November 8th is December 23rd, but there is also a provision in the law that states "Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation." Maybe law enforcement led to the delay in notification. I would think that a complete list of daycare centers would be available as quickly as it takes to run a simple database query.
the agency also was concerned that the thieves might not realize they had potentially valuable data, and did not want to publicize it.
Hoeppner said she is unaware of any identity-theft crimes resulting from the computer thefts. But she acknowledged that an identity-theft victim may not have considered the DCF theft as the source of their trouble
Victim Reaction:
"They could get information on anybody who works in this place. They could get our Social Security numbers," said Tracey Batchelor, a worker at the Children's Garden Learning Center on University Boulevard in Orlando.
Commentary:
Here is an idea. Collect the necessary information on the application, enter the information into a secured database, then shred the application.
If you can't or don't know how to reasonably secure laptops and other mobile devices, then don't use them. If you can't or don't know how to reasonably secure confidential information, then don't collect, create, store, access, or transmit it. It would be nice if things were so easy, but unfortunately they aren't.
Access to confidential information must be strictly controlled including the restriction from copying to mobile devices (where possible) and use of strong encryption. Anyone who has read about other breaches has heard this all before.
The Florida breach notification statute is interesting and easy to understand:
817.5681 Breach of security concerning confidential personal information in third-party possession; administrative penalties.
"Notification must be made no later than 45 days following the determination of the breach unless otherwise provided in this section."
"Any person required to make notification under paragraph (a) who fails to do so within 45 days following the determination of a breach or receipt of notice from law enforcement as provided in subsection (3) is liable for an administrative fine not to exceed $500,000, as follows:"
"The notification required by this section may be delayed upon a request by law enforcement if a law enforcement agency determines that the notification will impede a criminal investigation. The notification time period required by this section shall commence after the person receives notice from the law enforcement agency that the notification will not compromise the investigation."
"If a person discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices."
Past Breaches:
Unknown
Posts Atom 1.0
I am very concerned of the lack of regulation by our governor when referring to DCF there are many breaches in this organization including falsification of records.I believe their is a definite question of ethics in this organization.It seems from prior experience they actually have more power than the courts themselves. Our Governor and State Representatives should be very concerned about the direction in which this organization and there agencies are headed.It seems to be an epidemic that the type of people hired are acting unethically for their own sick and twisted amusement.IE. Jacklyn Lloyd that works for CFC in Palm Beach Gardens FL
Reply to this