Connecticut Revenue Agency Reports Missing Laptop

Connecticut Gov. Jodi Rell has ordered the state's IT agency to implement new controls for protecting sensitive data on laptops after a recent theft exposed data on 106,000 taxpayers in the state.

Under her directive, the state's CIO has until Sept. 7 to come up with a Laptop Computer Security Policy and associated guidelines for state employees. The policy will require agencies to monitor and restrict sensitive data on laptops and expand the use of secure data access and transport tools, including VPN technology. The new policy is also expected to spell out data breach notification guidelines under which state agencies would be required to immediately notify Connecticut's Department of Information Technology when a laptop is stolen or goes missing.

Rell also ordered the state's IT group to accelerate the selection and deployment of encryption tools for use by agencies.

The governor acted after the state's Department of Revenue Services (DRS) disclosed earlier this week that a laptop containing personally identifiable data on more than 106,000 taxpayers had gone missing. That marked the third report this week of a laptop containing sensitive data being stolen.

In an official statement, the department offered very little information on what might have happened or when the laptop was stolen. All it said was that the missing laptop was password protected and contained details such as Social Security numbers and taxpayer names.

"The agency has no information to date that any of the data has been accessed. All actions being undertaken by DRS are preventative," the statement said. A statement announcing Rell's measures indicated that DRS waited 11 days after the loss to start notifying affected individuals.

The DRS said it has notified the appropriate law enforcement authorities and is in the process of informing all of those affected by the theft. The department has also set up a Web site that state taxpayers can use to find out whether their names were on the compromised list. In addition, the state has contracted with Debix Identity Protection Network (Debix) to provide credit monitoring services to those affected by the theft.

The department did not offer any information on whether the data on the laptop might have been encrypted. But in the past, analysts have noted that when breached entities do not refer specifically to encryption in their notifications, it's a pretty good bet to assume that they did not use encryption to protect data.

The Connecticut theft is the third such incident to make news this week. AT&T Thursday confirmed that a laptop containing unencrypted personal information on an unspecified number of current and former employees of AT&T Corp. (now owned by SBC) was stolen from the vehicle of a consultant working for the company.

The other incident involved a similarly unprotected laptop at Maryland's Department of the Environment. As with the AT&T compromise, no details were released on how many people might have been affected by that theft, which involved a computer containing personally identifiable information on individuals who had been issued licenses by four separate state agencies.