http://www.columbusdispatch.com/news-story.php?story=dispatch/2006/07/03/20060703-C1-00.html By Randy Ludlow THE COLUMBUS DISPATCH July 03, 2006 Data thieves don't always sneak in through a digital back door. Sometimes, their work is decidedly low-tech, such as strolling through a real door and snatching a laptop computer. In Ohio, some state agencies and universities appear to be lagging the technological curve as the federal government tightens the security of data on portable computers. The feds' action was prompted by the lifting of a laptop and external hard drive, recovered The Department of Job and Family Services and Department of Administrative Services are planning to encrypt data, but are not there yet. Ohio State University and Ohio University also do not use scrambling software on portable devices, but appear to be on the verge. Securing portable data appears to have evolved slowly in Ohio, said Marc Mezibov, a Cincinnati lawyer who is suing OU and the Department of last week, that held the Social Security numbers of about 26.5 million military veterans. New security guidelines require civilian agencies to encrypt sensitive data to make it nearly impossible to steal identities should laptops and handhelds disappear. Among a sampling of state agencies handling personal information on millions of Ohioans, only the Department of Taxation boasts of nearly impenetrable data encryption. Veterans Affairs over data thefts. "I'm sure there will be a lot of finger-pointing and wondering why some of these institutions and organizations are behind the curve," he said. State agencies and contractors have been handed a financial incentive to encrypt data under a state law that took effect early this year. They can escape mandatory, costly noti- fication of data-theft victims if the data is encrypted. The Ohio Office of Information Technology prescribes minimum security standards for state computers and encourages that they be exceeded, but does not require the use of encryption software. With Social Security numbers and employment, investment and income information, the tax collectors hold the most far-reaching personal information of any agency. The data, says taxation spokesman Gary Gudmundson, is encrypted with state-ofthe-art software on both servers and laptops, and is considered virtually hack-proof. Four state laptops used by taxation employees were stolen during the past three years, but only one contained data on individual taxpayers, he said. That computer held information on an audit of one taxpayer, but it was deemed inaccessible because of encryption, he said. The Department of Jobs and Family Services works with personal data involving welfare, Medicaid, child-support and unemployment recipients. Plans call for installing dataencryption software on portable devices before the end of the year, spokesman Dennis Evans said. Only one department laptop with personal information - on 20 Medicaid recipients - has been stolen. It was taken from an employee's car in December 2004, prompting a directive not to leave computers in vehicles, he said. The Department of Administrative Services functions as the centralized human-resources office for the state and handles other sensitive material involving state contracts and bidding. It, too, is moving to add encryption software to its list of security features protecting laptops, said spokesman Ben Piscitelli. No computers with personal data have gone missing. Ohio State and OU do not require encryption software to protect sensitive information on laptops, but are studying a move toward such protection, officials said. OSU is working with a consortium of Big Ten and other universities to identify best practices, likely to include stepped-up security, said Robert Kalal, director of information technology policy and services. OU has made headlines with a series of computer security breaches in which hackers stole vast amounts of personal information, including Social Security numbers on more than 173,000 students, alumni, faculty and others. Neither university has experienced the theft of laptops containing personal data, officials said. What about the Bureau of Motor Vehicles and its voluminous files on drivers and online vehicle registrations involving banking information? The bureau does not allow any sensitive information to be stored on laptop computers or other portable devices, spokesman Fred Stratmann said. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 04 2006 - 22:40:37 PDT