The Cord Blood Registry, the world’s largest stem cell bank based in California, has suffered a data breach leading to the theft of 300,000 client records. This could prove very costly to the company, as current research published by the Ponemon Institute reports that the average cost per lost record to a business is now at $214.

The theft occurred in December last year outside a data centre in San Francisco when a CBR employee’s car was broken into. The personal data of the clients was stored on a laptop and on LTO4 tapes, to make matters worse, all the data wasn’t encrypted. The report published by Networkworld, says that although letters have been sent out to all clients affected by the data breach, some only received their letters this month.

The CBR’s director of corporate communications, Kathy Engle states that no reports of identity theft due to the theft have yet to be reported. She goes on to say “The tapes may have contained personal client data of adults (credit card numbers, driver’s license numbers or social security numbers); nothing on children and no health information at all,”

One letter sent to a client was an IT professional who used to work for EMC who said “What on earth are LTO4 tapes doing in a trunk with all this ‘secure’ information? CBR hasn’t described what was actually stolen either. I’m frustrated.”

The CBR stores 350,000 blood collections from umbilical cords which is a rich source in stem cells helping with future medical treatments. The CBR charges over $2000 per client for signing up to the storage with ongoing fees of $125 per year. Working with the Ponemon Institutes figures, this data breach could set the company back 64.2 million dollars and cause irreparable damage to the company’s reputation.

The Information Commissioners Office (ICO) has recently criticised Gwent Police, after a staff member accidently emailed the personal records of thousands of individuals to the wrong person. The situation was exacerbated by the fact the person it was sent to, happened to be a journalist!

The ICO has found the force in breach of the Data Protection Act and as such has made the Chief Constable sign an undertaking to ensure these leaks never happen again. The signed undertaking document, available on the ICO website, details the exact breach and the remedial action taken by the force to prevent further leaks.

The email contained a spreadsheet with the details of ten thousand Criminal Record Bureau (CRB) enquiries. Whilst the vast majority of the records contained little information 863 records contained the information of the individual concerned with the CRB enquiry. The email was supposed to be sent to five police staff only, however the email was also cc’d to a journalist. The undertaking states Gwent Police must now introduce technical measures to prevent auto completion of emails within internal and external correspondences.

Anne Jones, assistant ICO Commissioner for Wales released a statement saying “It is essential that staff are aware of and follow their organisation’s security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”

The ICO held back on releasing the information about the data leak until the force had completed its own investigations.

A report has been released by The Online Trust Alliance setting out guidelines for preventing, detecting and responding to data security breaches. The number of high profile data loss cases that reached the public eye in 2010 has made organisations seriously consider their practices and how they can best avoid such occurrences happening.

The 2011 Data Breach & Loss Incident Readiness Guide is intended as an aid to businesses, nonprofits and governmental agencies in creating data incident plans, with recommendations including best security practices and planning models.

“There is no one size to fit all,” said OTA Executive Director Craig Spiezle. But the recommendations outlined in the report should apply to government agencies as well as to businesses. Despite the growing list of regulatory requirements for using best practices in protecting electronic data, “a lot of agencies haven’t thought through all of this,” he said.

Agencies vary widely in their levels of preparedness, and experience has proved a valuable if not always pleasant factor, Spiezle said.
“Those that are best equipped today are the ones that have had incidents in the past,” such as the Veterans Affairs Department, which suffered a black eye from the 2006 theft of a laptop containing information on millions of veterans, he said.

The OTA is a nonprofit group focused on identifying best practices for ensuring privacy and data security. Although it began in 2004 as an industry organization, members today include the U.S. Senate, Commerce Department and the USPS Inspection Service, and it has worked with the Federal CIO Council and the White House task force developing the National Strategy for Trusted Identities in Cyberspace.

Breaches of personally identifiable information that could be used for identity theft or other fraud have become a high-profile problem. It is compounded by the organized theft, sale and exploitation of the data in a growing underground economy. OTA cited reports of more than 400 incidents exposing more than 26 million personal records in 2010, and said that 96 percent of online breaches were preventable using internal controls recommended in its report.

In addition to breaches of personal information, incidents such as the recent release of leaked classified information through WikiLeaks have caused the Office of Management and Budget to require agencies to assess plans and capabilities for protecting classified information.

An investigation by a local newspaper in Gloucestershire has exposed numerous cases of data loss in the last 3 years involving the Gloucestershire Police Force. Taking advantage of the Freedom of Information Act, where government held information is freely available upon request, the Echo revealed losses of tapes containing 999 recordings, Laptops and USB sticks.

All losses are recorded in the forces Information Security Register, however, details of where the data was lost, what data was lost and how it was lost in the first place is not documented!

Between October 2009 and September 2010, two separate tapes containing 999 calls were lost, along with a USB Stick containing police force data. The previous year it is recorded that two laptops were misplaced, but a spokeswoman on behalf of Gloucestershire Police insists the devices will have been encrypted. Alexa Collicott states: “We take our responsibility to protect personal data very seriously and robust safeguards are in place for storing and transferring all information held by the constabulary. No police operations have been compromised by the items lost over this period. Police officers and staff are expected to take due care with all police property to ensure that it is handled and maintained in accordance with the law and police policy.”

With solutions such as Remote Data Deletion available to the market, Encryption alone should not be the only method of securing a Laptop. By implementing a remote data deletion solution, were a user can log into a web portal and put into process the removal of all data off a laptop, as well as ensuring data is securely backed up, these incidents need not be cause for continual alarm.