16 InfoSec Courses, 2 Weeks of Training at SANS Virginia Beach 2018. Save $200 thru 7/25.

SANS Security Trend Line

The Information Loss Costs Waaay More Than the Device Loss

SANS Newbites recently carried a news item I commented on:

Two Laptops Stolen From Insurance Office Contained Unencrypted Patient Data


(December 16, 2013) Earlier this month, a New Jersey health insurance company began notifying more than 800,000 members that their personally identifiable information was stored, unencrypted, on laptops stolen from Horizon Blue Cross Blue Shield headquarters in Newark. The data include names, addresses, dates of birth, insurance ID numbers, and clinical information.

It looks like that back in 2008 Horizon BCBS NJ suffered a similar incident that impacted 300,000 accounts. It appears in reaction to that event, Horizon BCBS moved to using cable locks to prevent physical theft of the laptops instead of encryption to prevent data theft.

You can see how the tradeoff might have gone after the 2008 incident:

Problem: physical theft of a laptop resulted in customer information exposure.

Alternatives: (1) Protect the laptop from theft; (2) Protect the data from exposure

  • Horizon BCBS says it has 5,000 employees.
  • 5,000 cable locks would cost something like $150,000 (I'll just assume every employee had a laptop for comparison purposes)
  • 5,000 desktop encryption programs would cost about $400,000
  • Our staff can install cable locks easily; installing and maintaining encryption not so easy
  • The auditors will go away if we do one or the other.

Conclusion: preventing a laptop data breach by physically protecting the laptop will save $250,000 in procurement over encrypting all laptop data, and reduce installation costs..

(Reality is probably more like only a few hundred facility-bound laptops needed cable locks but this makes the savings more dramatic)

Obviously, the cable lock wasn't sufficient to prevent physical theft of the laptop, so the whole strategy was doomed from the start. But, the real issue is that preventing physical theft of the laptop only solves 1 breach vector (physical theft from fixed location) while laptop data encryption solves many breach vectors (physical theft from fixed location, physical theft outside facility, employee loss of device, malware exposure, etc).

The cost to Horizon BCBS of failing to protect 800,000 customer records will likely be in the $50M range.Increasing the probability of that incident occurring by 1% is a $500K impact - or twice the savings of going with the cheaper cable lock solution.

Another way to look at it: the cost of replacing the laptop hardware ($4,000) is less than .01% of the cost of dealing with a data disclosure incident of this scope ($50M).

Post a Comment


* Indicates a required field.