The information stored on the stolen disks included the names, addresses and phone numbers of families whose children were referred to the DES for early intervention services over the past several years. In the cases of families that had applied for and received services from the agency, their records also , DES spokeswoman Liz Barker Alvarez said.
The DES provides services such as financial assistance and food stamps programs as well as ones that are aimed at preventing child abuse and neglect. According to Alvarez, the data on the stolen disks was password-protected . She said the disks were stored in a leased storage unit at a local Extra Space Storage facility that was broken into on Oct. 14, and were part of a much broader array of items -- including furniture and electronics -- that were taken from multiple units at the facility.
As a result, Alvarez added, there's little reason to believe that the thieves were specifically going after the disks or the data on them.
Alvarez said the disks were stored in accordance with the agency's rules, which call for sensitive data to be backed up and kept at an off-site storage facility. She defended the use of the commercial facility and said the unit in which the disks were stored had been locked and monitored.
As has become typical , Alvarez said that the breach notices were being sent out not because any of the data has been misused but rather out of an overabundance of caution on the part of DES officials. In addition, both Arizona laws and DES rules in any situation in which personal information is put at risk of being misused, she said.
The only real difference between the incident in Arizona and most of the disclosed over the past few years is the fact that the compromise at the DES involved the personal data of a large number of children. Other than that, it continues the steady drum beat of breach disclosures resulting from the loss or theft of laptops and storage devices.
Earlier this week, for instance, Dallas-based Baylor Health Care System began notifying of the potential compromise of their Social Security numbers and other personal information after a laptop containing the data was stolen in September.
The , which maintains a dating back to 2005, lists dozens of incidents involving lost or stolen equipment for this year. Among them were a that compromised sensitive data about 2,500 participants in a cardiac study conducted by the National Heart, Lung and Blood Institute, and a similar incident involving at
Such incidents have prompted security analysts to long advocate the use of data encryption technologies. But as the continuing string of breach disclosures indicates, many organizations still aren't following that advice.
That inaction has spurred some states to try to take matters into their own hands by enacting . For instance, Massachusetts earlier this year approved a law all entities operating in the state to encrypt sensitive data while it is at rest, in transit and in storage. Regulations based on the statue are scheduled to go into effect Jan. 1.