Fallout from stolen laptop cannot be ignored

I've said on many occasions that internal threats are often the most pressing, despite the fact that external data security threats generate the most headlines.

One of the most common forms of internal security lapses involves carelessness with back-up tapes and with mobile computers. It's all too easy for employees and contractors to take a cavalier attitude toward these devices, even when they are loaded with sensitive information. Many of the risks are obvious, but there are some unexpected ones as well. 

I raise this issue in light of the news from ComputerWorld that a group of employees and contractors are pondering a lawsuit against NASA's famed Jet Propulsion Laboratory, which suffered a breach in the form of an unencrypted laptop stolen from the locked car of a teleworking employee. It unfortunately held sensitive data on 10,000 employees and contractors, including social security numbers. The group is apparently considering a class-action suit against NASA over the breach, arguing that the lab was negligent and in violation of the Privacy Act.

This is not the first time that the lab has been mired in a privacy-oriented lawsuit by employees and contractors. In the immediate aftermath, NASA made some changes. All computers are scheduled to be encrypted by the end of the year, for example. Being sued by employees isn't necessarily an obvious outcome of a security breach, but you can bet we'll be seeing more of this. Given the active plaintiffs' bar in this arena, we may be at the point where compromised employees will file a suit as a matter course.

For more:
- here's the article
- here's a New York Times article