In the last few days there have been a number of reports of data breaches caused by hardware getting stolen or misplaced. AMR, parent company of American Airlines, is contacting 79,000 employees and former employees because they lost a hard drive. The California Department of Health Care Services notified the authorities that it lost a CD containing over 29,000 patient records.
Not to be outdone though thieves stole thousands of laptops from a private contractor who was working for the US Special Operations Command over a nine hour period.
Why would anyone need to hack the network when they can just walk out the front door with all of the information they wanted?
Update: Apparently there are new laws that allow data breaches not to be made public. One of the worst ideas was from the HHS “For medical data breaches, the Department of Health and Human Services (HHS) has created a “risk of harm” threshold for notifications. Under HHS guidelines, if an organization determines that a data breach hasn’t caused “a significant risk of financial, reputational, or other harm to individual,” then it doesn’t have to report the breach, either to the person whose information was breached or to law enforcement agencies.” I mean, how about you let the person whose information was breached to determine if it has caused significant risk. Just throwing it out there.
