NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2008-02

Re: [Dataloss] NY laptop theft breaches no data protection rules

From: Chris Walsh (chriscwalsh.org)
Date: Wed Feb 27 2008 - 10:00:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am interpreting "encryption", in light of what is said below, to mean
"use of consistent and obscure codes". Basically, something akin to a
"q code".

If I understand this properly, a decoded record might look like this:

Chris Walsh 123 Main St Dublin AB- HIV+

Whereas the "encrypted" variant is:
Chris Walsh 123 Main St Dublin 785 432

Since the ITBS never told NY that "785" is the code for "AB-" and "432" means
"HIV+", adequate protection of this sensitive information was in place.

I won't argue with that conclusion, although it would be easy to.
I will say that calling a simple code such as this "encryption"was
unfortunate, and tends to perpetuate misunderstandings.

Lastly, "It is not possible to isolate individual fields in the log files,
so it would have been difficult, if not impossible, to have anonymised the
files prior to their supply to the NYBC" means they could not parse their
own logs. That's interesting.

On Wed, Feb 27, 2008 at 02:52:03PM +0000, lyger wrote:
> The loss of a laptop containing the files of up to 175,000 Irish blood
> donors, which was stolen earlier this month in New York, does not
> constitute a breach of the Data Protection Acts and the encryption on the
> laptop is sufficient to protect the files, Ireland.s Data Protection
> Commissioner said today.
>
[snip]

> The log files also contain numeric codes for other kinds of
> information such as attendance at the IBTS or blood-test results performed
> by the IBTS.
>
> "Importantly, the key for these codes was not on the stolen laptop or on
> the disks given to the NYBC for the performance of its functions," the
> Commission said.
>
> "It is not possible to isolate individual fields in the log files, so it
> would have been difficult, if not impossible, to have anonymised the files
> prior to their supply to the NYBC. Accordingly, the amount of personal
> data supplied to the NYBC for the performance of the contract entered into
> is not considered excessive in the circumstances," the Commission said.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]