CW: Agilent Warns Workers of Potential Compromise in Wake of Laptop Theft

In what is becoming an increasingly familiar story these days, the theft of a laptop PC containing unencrypted confidential data has prompted yet another organization to issue a warning notice to tens of thousands of people.

In the latest incident to come to light, the data breach notification came from Agilent Technologies Inc., a Santa Clara, Calif.-based maker of test and measurement equipment. Agilent last week completed the process of sending letters to 51,000 current and former employees informing them that some of their personal and financial information may have been compromised.

The breach notice was sent out following the theft of a laptop from the car of an employee at Stock & Option Solutions Inc. (SOS), a stock-plan management services firm that works for Agilent as a third-party contractor.

The data, which was stored in an unencrypted form on the laptop, included the names, addresses, Social Security numbers of the affected individuals as well as financial information related to their Agilent stock options, said Amy Flores, an Agilent spokeswoman.

According to Flores, Agilent itself mandates that all personal data stored on company laptops be encrypted. “It is absolutely required here,” she said, noting that Agilent officials were “very surprised” to find out that the data on the stolen SOS laptop wasn’t encrypted.

Flores said that SOS reported the theft to Agilent on March 4, and that the company within 48 hours began notifying current employees of the potential data compromise via e-mail. After that, Agilent began working to alert all of the former employees who were affected by the breach, she said.

Just yesterday, the National Heart, Lung and Blood Institute (NHLBI), which is part of the National Institutes of Health, said that a laptop containing unencrypted personal and medical data on about 2,500 participants in a cardiac study had been stolen from the locked car trunk of one of its employees.

The potentially compromised information in that incident included names, birth dates, hospital medical record numbers and medical data from cardiac MRI reports, such as heart measurements and diagnoses, according to a statement issued by the NHLBI.

Such thefts have prompted security analysts to advocate that users encrypt all data stored on laptops as well as on desktop PCs and removable storage devices.

Indeed, after a laptop and external hard drive containing the personal data of 26.5 million military veterans and active-duty personnel were stolen from a worker at the U.S. Department of Veterans Affairs in 2006, the federal government first recommended that agencies encrypt all sensitive data on laptops and then made it an official requirement. And several state statutes, such as California’s SB 1386 breach notification law, include safe-harbor provisions for companies that encrypt their data.