Laptop lapse

A major state agency and its employees haven't safeguarded citizens' personal information from identity theft

It's a good thing the state Department of Health and Human Services doesn't run the prisons. DHHS just might hand the inmates the keys to the cellblock doors.

The DHHS is not on prison duty, fortunately. It has, nonetheless, managed to create a security problem all its own.

By failing to safeguard its laptop computers, the agency, and some of its employees, have handed potential data thieves a key to stealing Social Security numbers and other personal information. This has happened even though DHHS was warned of the danger and pledged to make its laptops secure.

Instead, encryption technology that would protect Social Security numbers stored on DHHS laptops has yet to be installed on all of them (officials yesterday pledged action by Thursday). In recent months, employees have taken unencrypted laptops out of DHHS offices, exposing them to loss or theft.

The lack of encryption is particularly inexcusable because the agency admits that a dozen DHHS laptops have been lost or stolen so far this year. With the computers themselves so alarmingly insecure, it should be mandatory that the information stored on them is not.

Also, employees who take unencrypted state-owned computers out of the office after they've been told not to should be disciplined or dismissed.

Here's why: The most recently stolen laptop (taken from a Division of Aging and Adult Services employee traveling in Atlanta) contained data on about 85,000 people, including thousands of Social Security numbers.

The computer had a password, but those can be broken. Because its files were not encrypted (using software that makes them unintelligible to unauthorized users, even if the password is hacked) those numbers could be extracted and sold to criminals.

The result could be wholesale identity theft, with financial misfortune and seemingly endless hassles for the innocent people involved.

Although that probably won't happen -- most laptop thieves are after a quick resale on the street -- it could. So the state will pay more than $25,000 to arrange credit fraud alerts for citizens whose private data was in the laptop.

Costly insurance, and an embarrassment. The DHHS had agreed back in April that it would comply with encryption standards for state agencies. After the recent theft in Atlanta it conceded that it hasn't fully done so, citing cost and logistical difficulties

Commenting on that theft, the state's chief information officer, George Bakolia, says flatly that "Failure to encrypt the hard drive on the laptop was a violation of state security standards."

To put it mildly, there's been insufficient follow-through on a matter of basic, computer-age public safety. This may not rank with opening the prison doors, but it comes close. The DHHS and all other state agencies that store vulnerable information on laptops need to lock that data up tight, right now.