Towards the end of April, someone broke into the car of an athletic trainer working for the Washington Redskins football team. They made off with a backpack which contained – among other things – a laptop with the medical records for thousands of players, including every player who went through the NFL Combine since 2004. And according to news reports this week, although the laptop itself was password protected, the records were unencrypted.
According to an official statement from the Washington Redskins, no social security numbers, HIPAA-protected information, or financial data was stolen, nor is it any at the risk of being exposed. And while it’s true that there’s no clear indication yet that any data has been compromised, that could easily change. Assuming the thief actually knows what they’ve stolen, they may well try to crack the password on the laptop – and should they do that, the files are theirs.
The NFL has done a lot of things right in this situation. They immediately notified law enforcement of the theft, and have been working directly with the police to track down the stolen materials. They are demanding additional training for people with access to medical information and mandatory device encryption, and are working with the Redskins and the Player’s Association to track down parties impacted by the theft.
“The club is taking all appropriate steps to notify any person whose information is potentially at risk,” reads a statement issued Wednesday by the NFL. “All clubs have been directed to re-confirm that they have reviewed their internal data protection and privacy policies, and that medical information is stored and transmitted on password-protected and encrypted devices.”
Unfortunately, there’s little they can do about the laptop itself. Even in light of their swift response, they’ve no means of safeguarding the files present on the stolen device. With a document control solution like WatchDox in place, however, they’d have had multiple options for keeping their players’ medical records safe:
1. File-level Encryption
Even if the thief was technically sophisticated enough to bypass the laptop’s login security and access the files (or sold the laptop to someone with advanced hacking skills), they still would not have access to WatchDox-protected files. WatchDox safeguards each file individually with 256-bit encryption and user authentication.
2. Access Revocation
Even if a device is breached, its files remain secure. By revoking access to sensitive files present on the laptop, the NFL could have ensured that if the thief was aware the medical records were present, they’d be incapable of accessing them. Without file permissions, the thief would be left with nothing but unhackable data blobs.
3. Custom Authentication Time Outs
Administrators are able to set custom authentication timeout periods for accessing files offline. By the time the thief gained access to the user’s account, they would still need to authenticate with the WatchDox server to access the encrypted documents.
And if the thief somehow gained access to the user’s account on the local operating system but did not bring the computer online, the files would remain encrypted and unusable.
4. A Robust Tracking System
If the criminal gained access to the user’s account and brought the laptop online, revoked files would automatically be removed. But why not push a decoy file to the device through the sync engine? When accessed, WatchDox’s tracking capabilities would help determine the thief’s location and IP address. At that point, the NFL could have forwarded the information to law enforcement, bringing the criminal that much closer to justice.
Particularly in the age of mobility, device theft is an enduring threat. Password protections and encryption are both important, but both can be broken. And there’s no way of knowing for sure if your business partners will use either when dealing with your data.
With WatchDox, you needn’t worry. You retain full control over your files even if they’re on the stolen device of a hapless user, regardless whether or not they’re under your employ.
Want to learn more about what WatchDox can do for you? Check out our webinar, WatchDox by BlackBerry: Industry Use Cases for EFSS or download the Forrester Wave report naming us a Leader in EFSS. You can also visit the official WatchDox page or view our WatchDox product demo for further information.