Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.
According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”
When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.
Laptop Security
httpv://www.youtube.com/watch?v=dytZBBlDMJs
(Free Two-Day Shipping from Amazon Prime).