State failed to encrypt private data

RALEIGH -- The state Department of Health and Human Services violated security policies by not properly protecting residents' personal information, including their Social Security numbers, on an agency laptop that was stolen last month.

The theft of the laptop, which contained personal information about 85,045 people, was the latest in a string of DHHS laptop thefts this year that have put North Carolina residents at risk of identity theft.

In addition to the most recently reported theft, at least one other DHHS laptop containing personal information has been stolen this year, according to a memo this month from George Bakolia, state chief information officer. In addition, two other laptops that may have contained personal information were reported stolen, he wrote.

In a Nov. 6 memo to DHHS Secretary Dempsey Benton, Bakolia referred to 10 laptops stolen from DHHS this year.

"Failure to encrypt the hard drive on the laptop was a violation of State Security Standards," Bakolia wrote. "Additionally, DHHS may have been in violation of other standards regarding due diligence in safeguarding information regarding the type and quantity of data stored on a laptop."

Bakolia's office has been pushing DHHS about encrypting laptop files because of thefts and possible data breaches, reminding the agency of a statewide encryption contract in place for more than a year. Encryption makes computerized data unintelligible to unauthorized users.

"I and my staff have repeatedly warned DHHS of the dangers of deploying confidential data on unencrypted and therefore unprotected laptop," Bakolia wrote.

"I urge you to review state standards and DHHS agency policies and procedures related to proper safeguarding of state information assets," Bakolia wrote. "Not only the laptops, but the type of information stored on those laptops must be safeguarded. It is not appropriate for DHHS employees traveling to other states for training events to carry laptops containing large numbers of confidential unencrypted citizen data records with them."

The agency had promised months ago to protect data on its laptops.

In an April 9 memo, DHHS Deputy Secretary Dan Stewart wrote that the agency would comply with the encryption standards. At least two "laptop security" incidents, including the Atlanta theft, occurred after he wrote the memo.

In an e-mail, Lori Walston, a DHHS spokeswoman, said it took time to encrypt a variety of machines with different operating systems, find the money to do it, and train staff.

In a Sept. 9 memo, Stewart mandated the installation of encryption software by Nov. 1. on any agency laptops that employees wanted to take from their offices.

The software was scheduled to be installed in the laptop that was stolen during the time the employee had it in Atlanta, Walston said.

Information on that laptop included Social Security numbers of 52,391 clients of the state Division of Aging and Adult Services. The last four digits of Social Security numbers were included for 32,645 additional clients.

The laptop disappeared Saturday, Oct. 25, when a state employee returning from a training conference was unloading luggage from a rental car shuttle at the airport in Atlanta.

The laptop was password protected. But a citizens advocacy group on personal privacy said passwords offer little protection from knowledgeable thieves.

"Even a teenager could hack into a password protected computer," said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego.

State officials sent a letter to people whose full Social Security numbers were stolen with advice on how to place a fraud alert on their credit reports. The other group of people was set to get a different letter advising them to be cautious about unusual phone calls or other inquires.

The state is considering offering credit monitoring to residents put at risk of identity theft, Walston said. The agency may have more information on credit monitoring today.