Yet another laptop theft: Agilent warns 51,000 workers of potential data compromise

Computerworld - In what is becoming an increasingly familiar story these days, the theft of a laptop PC containing unencrypted confidential data has prompted yet another organization to issue a warning notice to tens of thousands of people.

In the latest incident to come to light, the data breach notification came from Agilent Technologies Inc., a Santa Clara, Calif.-based maker of test and measurement equipment. Agilent last week completed the process of sending letters to 51,000 current and former employees to inform them that some of their personal and financial information may have been compromised.

The breach notices were sent out following the theft of a laptop from the car of an employee at Stock & Option Solutions Inc. (SOS), a stock-plan management services firm that works for Agilent as a third-party contractor.

The data, which was stored in an unencrypted form on the laptop, included the names, addresses, Social Security numbers of the affected individuals as well as financial information related to their Agilent stock options, said Amy Flores, an Agilent spokeswoman.

According to Flores, Agilent requires all vendors and services providers that handle employee data to encrypt the information when it is stored on laptops and desktop PCs. "It is absolutely required here," she said, noting that Agilent officials were "very surprised" to find out that the data on the stolen SOS laptop wasn't encrypted.

Flores said that SOS reported the theft to Agilent on March 4, and that the company within 48 hours began contacting current employees via e-mail to notify them of the potential data compromise. After that, Agilent began working to alert all of the former employees who were affected by the breach, she said.

Just yesterday, the National Heart, Lung and Blood Institute (NHLBI), which is part of the National Institutes of Health, said that a laptop containing unencrypted personal and medical data on about 2,500 participants in a cardiac study had been stolen from the locked trunk of the car of one of its employees.

The potentially compromised information in that incident included names, birth dates, hospital medical record numbers and medical data from cardiac MRI reports, such as heart measurements and diagnoses, according to a statement issued by the NHLBI.

Such thefts have prompted security analysts to advocate that users encrypt all data stored on laptops, desktop PCs and removable storage devices.

Indeed, after a laptop and external hard drive containing the personal data of 26.5 million military veterans and active-duty personnel were stolen from a worker at the U.S. Department of Veterans Affairs in 2006, the federal government first recommended that agencies encrypt all sensitive data on laptops and then made it an official requirement. And several state statutes, such as California's SB 1386 breach notification law, include safe-harbor provisions for companies that encrypt their data.