Following on from last week’s announcement that the office of the Comptroller Auditor General lost a laptop containing sensitive data at a bus stop, today the CAG announced that it lost a laptop in April 2007that contained information from the Department of Social and Family Affairs on over 380,000 welfare recipients. The laptop was stolen from the office of the CAG and to compound the problem further, while the data was send to the CAG from the Department of Social and Family Affairs in encrypted format it was subsequently stored on the CAG laptop in plaintext form. The compromised data included personal details such as bank account numbers, names and addresses of people, in fact the perfect data an identity thief would pay a lot of money for.
Questions have to be asked why did it take so long for those affected to be informed of the breach? It is nearly 17 months since the laptop was stolen but details are only being made public now. Why were those affected not made aware that they were at risk of identity theft? And by the way the argument that the data has not yet been abused is not a valid one.
Yet again this is another example of why we need mandatory breach disclosure laws in this country. While we have had a number of good examples of how to deal with breaches too often we have had too many bad examples. The time of people relying on organisations to do the right thing is over and we need to introduce regulations organisations that mandate the appropriate steps an organisation should take in the event it suffers a breach.
Digital Rights Ireland have a post that covers some of the legal aspects regarding this breach. If you feel as strongly about breach disclosure as I do then they also have details on how you can add your voice to the debate.