Rapidly changing technologies and electronic record-keeping may have made our lives and businesses a lot easier, but protecting our privacy has become much tougher.
Last March, officials at Central Connecticut State University reported that the private records of 18,000 students, alumni and employees—including Social Security numbers—had been accessed by computer hackers. A few months later, Hartford Hospital discovered that an unencrypted employee laptop containing the Social Security, Medicare and Medicaid numbers of close to 10,000 patients had been stolen. Then in November, Western Connecticut State University announced that the personal information of 234,000 students, faculty and staff members and students’ families had been stored in a potentially vulnerable manner.
As these are ongoing investigations, officials could not comment, but both Hartford Hospital and WestConn have offered free identity-theft protection to those affected. The cost of such protection is considerable; WestConn will spend more than $1 million for two years of protection.
In response to these and other data violations, Connecticut enacted the Breach Notification Law in October. It requires the attorney general’s office to be notified when businesses experience a possible data breach involving computerized information.
Stealing information sent over a public wi-fi network is relatively easy for tech-savvy criminals. In some ways it’s the digital equivalent of ignoring a no-trespassing sign and hopping over a short fence. One popular technique hackers use is called session hijacking. When you visit a website, your computer and that site set up a communication link called a session key. Hackers can steal this key and start impersonating you online.
“Once he has your session key, the criminal is on the inside of your online conversation. He can do anything that you could do at that site,” says William Saturno, president and founder of CT Hackerspace. “Chances are he will quickly change your login credentials, locking you out of your own account and giving him more time to pursue his exploits.”
CT Hackerspace is a group of local hackers that meets weekly at an old factory building in Watertown. But these hackers focus on creating new technologies and defending old ones from attacks rather than conducting the criminal activities popularly associated with the term.
Still, each year there are millions of data breaches reported nationally, such as the aforementioned incidents here in Connecticut.
“When I came into office, privacy wasn’t a burning campaign issue, but I noticed very quickly that it seemed like every month there was some new data breach,” says Attorney General George Jepsen. In September 2011, he formed a privacy task force headed by Assistant Attorney General Matthew Fitzsimmons, who suggested the new data breach law.
Although an existing law required companies to contact state residents whose information was possibly compromised, it didn’t require that the attorney general’s office also be notified, which made enforcement difficult. Since the law went into effect, Fitzsimmons says the results have been “eye-opening”—unofficially, about 100 breach notifications have already been logged. “I think it’s giving us a much better idea of how prevalent data breaches really are,” he says.
The goal of the Breach Notification Law is to help educate companies and the public and to encourage safe data-storage practices. “We’re trying to make sure everyone really knows the risks that are out there,” Fitzsimmons says, also suggesting that companies wanting to implement safer practices should look at what type of information they are collecting. “Do certain retail establishments really need folks’ driver’s licenses or social security numbers? Once you’ve assessed that, you have to look at how you’re protecting information—is it in paper form in an unlocked file cabinet, or is it in a computer and stored in an encrypted manner?”
“As doctors’ offices go paperless and society in general goes more and more paperless, it means data is being stored not in notebooks and physical manila files, but electronically,” says Jepsen. “So it’s an issue that’s not going to go away, and that’s why we have to bring more attention to it and create the mechanisms, like this law, that allow for enforcement and the protection of consumers.”
Knowing what he knows about the dangers posed by criminal hackers, CT Hackerspace’s Saturno advises people to take more precautions and limit the sensitive data you keep on your phone and laptop. He says, “If I need to take sensitive data on the road, many times I will save it, encrypted, separately on a flash drive that I keep on my person. There is less chance of loss when it’s in your pocket.”