City of Charlotte breach affects 5,220 current and former employees
|
Date Reported:
5/26/10
Organization:
City of Charlotte, North Carolina
Contractor/Consultant/Branch:
Towers Watson
Unnamed "mail service provider"
Location:
Charlotte, North Carolina
Victims:
Current and former city employees
Number Affected:
5,220
Types of Data:
Personal information including "Social Security numbers, health plan coverage numbers, and prescription information".
Breach Description:
"The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost" on two DVDs that have gone missing.
Reference URL:
WSOCTV Channel 9 News
Charlotte Business Journal
The Sun News
Report Credit:
WSOCTV Channel 9 News
Response:
From the online sources cited above:
The personal information of more than 5,000 former and current city of Charlotte employees and elected officials has been lost, city officials said.
The city notified 5,220 people that some of their personal information was lost by a mail service provider working with Towers Watson, its benefits consulting firm.
Two DVDs containing Social Security numbers were lost while being shipped from the consulting firm’s Charlotte office to its Atlanta office.
The city blames a mail-service provider working with Towers Watson. The city says it was notified of the lapse on Feb. 23.
[Evan] Wait a second! Who's responsibility was it to encrypt the data stored on the DVDs? I doubt that the mail provider is responsible for putting data on DVDs. Mail service providers lose mail all of the time, especially if they deal with enough volume. Encrypting data on mobile media is a simple information security best practice, and this breach occurred due to a lapse at Towers Watson. Some blame is also shared by the city itself. I elaborate more on my take in at the end of the post.
City Councilman James Mitchell said he was notified that his information was on one of the lost DVDs.
“[I’m] very concerned and very upset because you never know in this day and time what someone is doing with that data,” Mitchell said.
The information lost affects people who were receiving health insurance from the city in early 2002.
The discs also contained prescription-drug information for five individuals.
[Evan] Does this mean that there is personal health information (PHI) and other personally identifiable information (PII) such as Social Security numbers, names, addresses, etc.?
The DVDs were not encrypted, meaning anyone who accesses the DVDs can access the information on them. The city said sending unencrypted data is not in accordance with the consulting firm’s policies.
[Evan] A policy ain't worth squat if people don't follow 'em.
“We did a thorough investigation to make sure we really understood what we were dealing with,” Emory Todd, with Towers Watson said.
Todd didn’t elaborate on exactly how unencrypted data ended up in the mail.
The city and Towers Watson both said there is no evidence anyone’s information has been used, but there’s no real way to be sure.
“I don’t believe there would be any way for us to know at this point,” Tim Mayes, the city’s human resources director, said.
[Evan] Exactly! Once you lose control of information, it is very difficult to track how it may be used.
Towers Watson is providing two years of identity theft monitoring through Equifax’s Credit Watch for the affected people. It also set up a hot line at for people who have additional questions.
Commentary:
We all know (or should know) that this is a breach that could have and should have been prevented, right? All sensitive information on mobile media (DVDs, CDs, tapes, flash drives, USB hard drives, etc.) must be encrypted. I understand that Towers Watson is a large company with over 14,000 employees. Given the numbers, a breach is eventually bound to happen. Fine, but this doesn't mean that it is acceptable or that we can't use it to make a few points.
Roles and Responsibilities:
The city blames the mail service provider for the breach, or at least this is what the media claims. I want to make a few points about blame here. In order to place blame, we need to know who plays what role and what their responsibilities are given their role. I like things simple, so I am not going to go into great detail.
There are essentially three roles; data owner, data custodian, and data user. The data owner is the entity who "owns" the information, which in this case is the individual who is affected by its security or loss; the individual city workers. The data custodian is the entity that is responsible for securing the information in a manner that is consistent with the data owner's expectations. In this case, there are three data custodians; the city, Towers Watson, and the mail service provider. The data user is the entity that is authorized to use the data in a manner that is consistent with data owner and data custodian requirements. In this case, the data user is the person who burned the DVDs without encryption. Requirements are usually dictated in documented policies, standards, guidelines, procedures, contracts, etc. and are communicated through education and awareness campaigns.
So there are the roles, again, in very simple terms. So let's figure out blame, if we must. Who is responsible for securing the information? The data custodians and users. This leaves us with the city, Towers Watson, the mail service provider, and the person who didn't encrypt the data. The amount of blame placed on each party varies depending on a number of factors which were not disclosed in the media reports.
The point I am trying to make is that the city has no real grounds to call out the mail service provider as being the responsible party without addressing its own role and the role of its consultant; Towers Watson. There is plenty of blame to go around. You dig?
Past Breaches:
Unknown
Posts Atom 1.0
Comments