http://www.columbusd
ispatch.com/news-story.php?story=dispatch/2006/07/03/2006070
3-C1-00.html
By Randy Ludlow
THE COLUMBUS DISPATCH
July 03, 2006
Data thieves don't always sneak in through a digital back
door.
Sometimes, their work is decidedly low-tech, such as
strolling through
a real door and snatching a laptop computer.
In Ohio, some state agencies and universities appear to be
lagging the
technological curve as the federal government tightens the
security of
data on portable computers.
The feds' action was prompted by the lifting of a laptop
and external
hard drive, recovered
The Department of Job and Family Services and Department of
Administrative Services are planning to encrypt data, but
are not
there yet.
Ohio State University and Ohio University also do not use
scrambling
software on portable devices, but appear to be on the verge.
Securing portable data appears to have evolved slowly in
Ohio, said
Marc Mezibov, a Cincinnati lawyer who is suing OU and the
Department
of last week, that held the Social Security numbers of about
26.5
million military veterans.
New security guidelines require civilian agencies to encrypt
sensitive
data to make it nearly impossible to steal identities should
laptops
and handhelds disappear.
Among a sampling of state agencies handling personal
information on
millions of Ohioans, only the Department of Taxation boasts
of nearly
impenetrable data encryption. Veterans Affairs over data
thefts.
"I'm sure there will be a lot of finger-pointing and
wondering why
some of these institutions and organizations are behind the
curve," he
said.
State agencies and contractors have been handed a financial
incentive
to encrypt data under a state law that took effect early
this year.
They can escape mandatory, costly noti- fication of
data-theft victims
if the data is encrypted.
The Ohio Office of Information Technology prescribes minimum
security
standards for state computers and encourages that they be
exceeded,
but does not require the use of encryption software.
With Social Security numbers and employment, investment and
income
information, the tax collectors hold the most far-reaching
personal
information of any agency.
The data, says taxation spokesman Gary Gudmundson, is
encrypted with
state-ofthe-art software on both servers and laptops, and is
considered virtually hack-proof.
Four state laptops used by taxation employees were stolen
during the
past three years, but only one contained data on individual
taxpayers,
he said. That computer held information on an audit of one
taxpayer,
but it was deemed inaccessible because of encryption, he
said.
The Department of Jobs and Family Services works with
personal data
involving welfare, Medicaid, child-support and unemployment
recipients.
Plans call for installing dataencryption software on
portable devices
before the end of the year, spokesman Dennis Evans said.
Only one department laptop with personal information - on 20
Medicaid
recipients - has been stolen. It was taken from an
employee's car in
December 2004, prompting a directive not to leave computers
in
vehicles, he said.
The Department of Administrative Services functions as the
centralized
human-resources office for the state and handles other
sensitive
material involving state contracts and bidding.
It, too, is moving to add encryption software to its list of
security
features protecting laptops, said spokesman Ben Piscitelli.
No
computers with personal data have gone missing.
Ohio State and OU do not require encryption software to
protect
sensitive information on laptops, but are studying a move
toward such
protection, officials said.
OSU is working with a consortium of Big Ten and other
universities to
identify best practices, likely to include stepped-up
security, said
Robert Kalal, director of information technology policy and
services.
OU has made headlines with a series of computer security
breaches in
which hackers stole vast amounts of personal information,
including
Social Security numbers on more than 173,000 students,
alumni, faculty
and others.
Neither university has experienced the theft of laptops
containing
personal data, officials said.
What about the Bureau of Motor Vehicles and its voluminous
files on
drivers and online vehicle registrations involving banking
information?
The bureau does not allow any sensitive information to be
stored on
laptop computers or other portable devices, spokesman Fred
Stratmann
said.
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|