Laptop Loss = Security Breach?
A stolen computer can mean much more than a personal loss of the hardware and data stored on it. If that computer held your unencrypted personally identifiable information (PII), you could be at risk for identity theft. And if it had held information about others, you may have legal obligations to report that loss in a timely manner.
A stolen computer can mean much more than a personal loss of the hardware and data stored on it. If that computer held your unencrypted personally identifiable information (PII), you could be at risk for identity theft. And if it had held information about others, you may have legal obligations to report that loss in a timely manner.
Currently there is no national law that requires notification should PII be put at risk. However, at least 39 states and the District of Columbia have enacted legislation requiring notification of security breaches involving personal information. Rhode Island is one of those states. [ State Security Breach Notification Laws ]
According to Rhode Island Statute 11-49.2-3 (Notification of breach):
Any state agency or person that owns, maintains or licenses computerized data that includes personal information, shall disclose any breach of the security of the system which poses a significant risk of identity theft following discovery or notification of the breach in the security of the data to any resident of Rhode Island whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person or a person without authority, to acquire said information. The disclosure shall be made in the most expedient time possible and without unreasonable delay . . .
To compound the legal obligations, residents of other states who may have had their PII breached are covered by their respective states' laws. For a compendium of the key requirements, see the document "State Security Breach Notification Laws", prepared by Ron Weikers, Esq.
If your computer is stolen, lost or compromised and it contained PII, whether you need to report this will therefore depend upon the degree of risk and whether or not the data had been encrypted. Should the risk be high and the data exposed, then disclosure will need to be reasonably prompt.
If you suspect that PII may have been put at risk, report the incident to the office of IT Security as quickly as possible for assistance.
To avoid the headaches of disclosure:
- Physically protect your computer.
- Do not store sensitive data on your laptop or portable media (such as a thumb drive or CD).
- If you cannot avoid doing this, encrypt the data.
- Follow the Golden Rule, "Treat the confidential and personal information of others as you would want them to treat yours."
And if you own PII could be at risk, consult the Federal Trade Commission's resource, Fighting Back Against Identity Theft: Information Compromised?.