Our Blog

Recently the Massachusetts Secretary of State's office accidentally handed over a  CD-ROM containing confidential information of 139,000 state-registered investment advisers to IA Week, an investment industry publication.

The sensitive data included: investors' names, Social Security numbers, birth dates and locations, even height, weight and hair and eye color.

This incident occurred when a new employee submitted the information without deleting the investment advisers' Social Security numbers and other private information, which is normally withheld for such requests.

IA Week returned the CD-ROM without copying any of the data.

This incident begs the question; is this a security breach or not? Especially when there was no abuse of data?

"The users should treat this as if their personal information is now at risk," said David Berman, director of product marketing for Voltage Security. While the breach appeared to be an accident, Berman said that any exposure to personal information could have been prevented if the Massachusetts office had deployed basic encryption technology that would have masked sensitive data unintentionally saved to the disk.

This has become a big issue with more and more companies using DLP (Data Loss Prevention) systems, with many companies required to do so due to industry or state regulations.  If the Secretary of State’s office had a DLP system in place, it would have either prevented the employee from copying the sensitive data to the CD; or at very least would have alerted someone within the office that it was done, hopefully within time to prevent the mistake from happening.  Even though this was an innocent mistake, employers need to education their users on the importance of security of personal and confidential information.