Jackson County Case Study

Messaging Architects E-mail Policy Workshop

Wright's Online SANS Education

Wright's Public Appearances

My Photo

Moderator

  • Attorney Benjamin Wright is an advisor to Messaging Architects, specialists in email compliance and risk management controls and services. He is the author of numerous books on technology law, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). He often serves as featured speaker at industry conferences and professional meetings, and he teaches data security and e-discovery law at the SANS Institute. Mr. Wright recently delivered SANS Onsite to the e-discovery team of a major corporation. His telephone is 1.214.403.6642. His e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • Professional Education
    "The best guy in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

What Sets This Blog Apart?

  • Most law blogs simply describe the latest cases and laws. But Wright’s Legal Beagle tells the best stories in data records law, often pulling several cases or developments into a single story for public dialogue. Sometimes those stories are several years old. Mr. Wright explains how those stories teach practical, even timeless general lessons.

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog is public discussion, not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. The information here is offered as-is, with no warranty of accuracy or reliability. Mr. Wright from time to time revises the ideas published here. If you use the ideas, you do so at your own risk.

    This blog serves as the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a major reference for lawyers, published by Aspen Publishers.

    Mr. Wright identifies his association with quality organizations like Messaging Architects and SANS Institute. However, the only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright’s policy is to comply with all applicable laws. If any person ever has any information or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642.

About

Search

Environmental Responsibility

  • Dallas, Texas. Mr. Wright is a green professional.

Main | Credit Card Issuers Over-reacted to TJX »

August 05, 2008

Encrypted Personal Data On Stolen Laptop

Data Breach Notice to Employees and Dependents

Compromise of Password-Protected Computer Lost in Burglary

Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.

The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire’s law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?

My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.

The facts: A burglary in a Missouri building harvested several laptop computers from the offices of multiple companies. One of those laptops, belonging to AB, contained personal information (names, addresses, social security numbers and so on) about certain AB employees and their dependents.

A sizable number of those employees work at AB’s brewery in New Hampshire. When AB announced the data breach, a Manchester, NH, television station reported it.

More than 40 states have some form of data breach notification law. The laws are not uniform, which means their details vary. Some states require notice in one way; others require it a different way.

Many of these laws are structured to protect state residents. Therefore, in order to know which law applies to a particular data subject (i.e., a particular employee or dependant), a data holder like AB must know the subject’s state of legal residence. To know a person’s legal residence is not easy because often the data about a person in a database is insufficient to determine for sure the person’s state of legal residence. A resident of Wyoming, for example, can have a postal address in Connecticut.

Hence, it might be particularly difficult and expensive for AB to determine with absolute precision which person should receive notice and under which state law. As a good faith compromise, AB decided (this is my interpretation) it would go overboard with notice in New Hampshire. Although NH law does not require notice if data were encrypted, many of the affected employees worked in NH. So (again, my interpretation) AB gave notice in NH, which included sending notice to the state attorney general, who would afford the notice special attention by publishing it on the web.

Computerworld inquired whether AB gave notice in other states. The company acknowledged that affected data pertained to residents of other states, but declined to say anything more about the other states. My reading is that AB did not necessarily track down every last dependent, and determine that dependent’s state of residence, so the company could provide that person notice in strict accordance with the law of that person’s state of residence.

–Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader in data records management.

Posted at 11:09 AM in breach notice, data break-in, data security, electronic records law, identity theft, risk management, social security numbers |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e553eadb27883400e553cf5eeb8833

Listed below are links to weblogs that reference Encrypted Personal Data On Stolen Laptop:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

E-Investigation Posts

E-Discovery Posts

Government Agency & School Records

Healthcare Records

Records Policy Posts

Data Security Law Posts

Other Highlights Here

Categories

Subscribe to this blog's feed

Archives

More...

E-mail Mr. Wright

  • Contact Form