Does Lost Computer Tape Equate to Lost Data?

How to Define "Data Security Compromise"?

Computerworld reports that the State of Ohio spent $3 million to remedy the breach of data security resulting from loss of a backup computer storage tape. The computer tape was sitting temporarily in an intern's automobile. The tape held sensitive (unencrypted) data such as social security numbers on thousands of state employees and taxpayers. Most of the $3 million went to giving the affected individuals free credit protection service . . .

Waste of Taxpayer Money

The expenditure of $3 million to deal with this security incident is nuts. The compromise of the tape's physical security does not necessarily mean that the data on the tape had been compromised or even threatened with compromise. What's the likelihood that a thief who steals something from a car is going to possess the equipment, knowledge, talent, patience and courage necessary to read the tape, figure out how to abuse the data on it, and then undertake the risky business of actually committing identity theft? My sense is that the likelihood is very low.

The skills needed to commit successful identity theft are very different from the skills needed to make an opportunistic theft of the contents of an automobile.

Some data breaches are serious, and some are not. This one doesn't sound serious. The $3 million went down a rat hole.

Lost Backup Tape:  What's the Big Problem?

Question: Are readers aware of any documented case where a lost backup tape led to identity theft?


--Benjamin Wright

Mr. Wright, a practicing attorney, teaches the Law of Data Security and Investigations at the SANS Institute.


[Postscript: My friend Mich Kabay has been writing about customs agents inspecting laptops as their owners cross international borders. Someone asked Mich whether an enterprise has suffered a data breach requiring notice if it gives a decryption key to customs so it can inspect the contents of a laptop containing personal information. My response: Some people unwisely set a low threshold for considering data to be compromised or for requiring the delivery of a breach notice. It would be ridiculous to say that cooperation with law enforcement (i.e., duly-authorized customs officials) constitutes a data security breach!]

Update: See my analysis of a breach notification where data on stolen laptop are encrypted.

Investigating Police Officers and Other Authority Figures

Computer and Digital Data Forensics

Social Media for Law Enforcement 

Hidden (Secret) Camera, Video, Microphone, Audio, Surveillance

People in authority sometimes abuse the public's trust.

But technology is progressively making abuse and conspiracies more difficult to execute. The reason is that technology renders corruption of authority un-hideable. Our world is becoming saturated with recording devices -- electronic mail, instant message, camera phones, Google-searchable web sites and more. These devices make innumerable records, which are subject to subpoena, e-discovery and data-mining.

The records are also subject to illegal access. For instance, a hacker broke into the Yahoo e-mail account of Alaska Governor Sarah Palin and publicized the contents.

And no one person or group can control all the devices recording any given event. Cheating officials must bow to transparency.

Case in point: An NYPD detective got caught abusively interrogating a shooting suspect. The suspect recorded the conversation as electronic data on a hidden MP3 player. As the player quietly memorialized the conversation, the detective said "Our conversation right now does not exist." Later, in court he denied he had interrogated the suspect. But then the suspect produced the recording. The detective now faces 12 counts of perjury!

Another case: Prosecutors and police officers in Pennsylvania were shocked to learn that the defense lawyers in a criminal case could, by way of subpoena, obtain access to their cell-phone calling records without their knowledge. Pennsylvania rules of criminal procedure allow for such a subpoena, but do not require notification to cell phone customers.

Since the Rodney King beating in 1991 (illegal LAPD beating of suspect recorded on amateur videotape, corroborated by police e-mail), we've known that technology can surprisingly record and reveal instances of official abuse. But technology's march is accelerating. The sheer quantity of recording devices (PCs, cameras, cell phones, texting devices and so on) in day-to-day life is mushrooming.

The transparency wrought by technology does more to the rich and the powerful than just expose their transgressions. It exposes any information about them that might be embarassing or unseamly. Hence, when big law firm Jones Day sued a Chicago web site for identifying where its partners were purchasing homes, the firm just made itself look silly. And by attracting additional attention to the location of its partners' residences, the firm's lawsuit achieved the opposite of its goal.

No authority, whether a police officer, the president or a prestigious law firm can hide from the burgeoning swarm of digital witnesses and stool pigeons.

As Bill Gates predicted in his 1995 book The Road Ahead, we have come to live "documented lives." Increasingly, our every action and utterance is preserved in a record (i.e., discoverable electronic evidence), and therefore is potentially subject to third-party review and scrutiny. Even deleted records are recoverable by computer forensics.

Some folks view these developments as a threat to privacy. I view them as an agent of democracy and social justice, which compels people in power to perform ethically and responsibly. It compels rich people to pay their taxes. It advances the notion of checks and balances embodied in the US constitution.

Update: The transparency wrought by technology enforces responsibility on all accountable people, even welfare recipients who are expected honestly to report their household status. Under New Zealand law, welfare recipient Lauren Kaney was entitled to more money if she (a mother) was the sole adult in her household, and she represented to authorities that she was. But the government discovered on her Bebo and Facebook pages that she was co-habitating with the father of her young son. The public administration authorities convicted her for welfare fraud.

Another Update:  Tax authorities are turning to social networking sites to gather evidence for audit and enforcement.  Minnesota tax collectors went after the wages of a tax evader after he said on Myspace that he was returning to the state to work for a real estate brokerage that he identified.  Laura Saunders, "Is 'Friending' in Your Future? Better Pay Your Taxes First," Wall Street Journal, Aug. 27, 2009.

Update June 2010: Some police assert that wiretap and eavesdropping laws prevent citizens from video recording on-duty police officers. Some police say they can order a citizen who is recording the police action to turn a camera off, even in a public space. In some cases courts and other authorities have agreed with the police.

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

See related article on how to make smart phone video more credible.