An employee for the state of Ohio lost a cd containing the Social Security numbers and "other" personal information for ALL 64,000 Ohio state employees.
Now Governor Ted Strickland has stepped in and issued an executive order to change the way data is handled.
I did a quick search to look at who had picked up this release. It was on the top of MSNBC's website under the heading "Also Making Headlines". ABC, the Boston Herald, Baltimore Sun, Forbes, Houston Chronicle, and over 130 other news outlets decided that this was important enough to announce. Not the kind of headlines you want to make.
So please take a moment and visit this site. It is the Governor office's announcement and a copy of his executive order. I believe they are handling this very well and I completely approve of the steps they are taking and the immediacy they are giving this issue.
Among the steps, is a change in their completely BONE-HEAD methodology of storing this data off-site. That alone should get someone fired. Storing this kind of information at some employee's apartment? Are you kidding me? Folks, if any of you are doing this then count yourself lucky that you are still employed and hire someone today that can securely and legitimately store the data.
Next, the assessment is so important. They need to know what data is important to secure and what data is not. They need to insure all points where the data is handled is done so properly.
Lastly, the push to have this occur within seventy-five days is extremely aggressive for any government body so I'll cut them some slack on the timeframe.
Also, I like the fact that they have setup a website so the state employees can have a place to get the latest info on the breach.
Of course, credit monitoring (and the associated costs with that) is de rigeur at this point.
It is unfortunate that the disc (or device depending on where you get your information) was "contained on a specialized medium" and that "it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so."
I say unfortunate because it doesn't really mean squat in this situation. They are still being run through the ringer because they can't say authoritatively that they disc is encrypted and completely worthless to anyone that doesn't have the key.
So take a good look at how Ohio is addressing this problem. They are doing a great job of trying to clean up a mess they could have prevented in the first place.
In fact, I would just keep this site handy in case you don't have your own ducks in a row. Ohio might become a good template for your company. And on that sarcastic note, I sincerely wish you a fun and safe weekend!
Michael Mongold
Comments