The statement, which came more than a month after the March 17 armed robbery, was forced by rules from the Health Insurance Portability and Accountability Act (HIPAA). When a breach impacts more than 500 state residents—Kmart is quoted by The Chicago Tribune saying that 788 Kmart shoppers were impacted—the retailer has 60 days to announce it.
Asked why the delay, Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. "Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days," she said.
Arkansas state law also requires disclosure, but it's much more ambiguous about timing: "The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system."
At 8:55 p.m., some 55 minutes after the store had closed, the intruder confronted the store's assistant manager, who had just closed the store for the night, when he went into the parking lot to get to his car. The thief stabbed the assistant manager's car's front driver side tire, presumably so that the assistant manager would be occupied when the thief pointed a silver gun at him and ordered him to open the store and to then open the safe, according to the police report. The thief helped himself to the contents, including about $6,000 in cash and that day's backup disk.
The disk, which was unencrypted and apparently not password-protected, included the full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers, according to Sears. "Certain prescriptions also contained the customer's social security number," said the Sears statement.
Sears' Armstrong-Fowler said that "a few hundred customer SSNs were potentially involved and those customers have been individually notified." She added that no payment card data was involved.The initial police report did not reference the missing data disk, and Little Rock Police said no updated report had been filed. Such an updated report would have been filed had Sears contacted police to update the list of what had been stolen.
There is a strong chance that the thief didn't know what was on the disk and might have thrown it out. But if he didn’t, the HIPAA-mandated alert would likely flag its value. That might prompt him to find an associate with identify-theft experience to see whether the data could be accessed and sold.
Then again, given that it's only one day's worth of backups, it's not clear how many dollars that limited amount of information would likely fetch. That would have to be weighed against the risk of discovery that the identify thief wasn't really an undercover detective looking to solve this armed robbery.
Of all the kinds of data that IT must protect, there's a good argument that pharmacy information is the most sensitive. Credit card information is generally protected—as far as the shoppers are concerned—by zero liability and debit card information theft losses, although light-years more damaging than credit card data, will eventually be reimbursed by most banks. Social Security numbers—which were also stolen here—are quite bad, because SS numbers are so difficult to change and because they are so widely used for identification, as Macy's just reminded us.
Drug prescription information, though, strikes at the very heart of privacy fears. Beyond identity theft, it can be sold to marketers, divorce lawyers, databases accessed by potential employers and others. At the other extreme, it can reveal the home addresses where much-sought narcotics are housed, which creates a very frightening and potentially violent situation.
The Tribune story quoted Armstrong-Fowler as saying something curious. "Kmart officials said the chance of the perpetrators accessing customer private information is slim to none, because you would need to know what software package and have that software package to” translate the information, Armstrong-Fowler said, according to The Tribune. (Armstrong-Fowler declined to confirm the quote when we asked about it.)
Although it's true that a specialized corporate backup system—such as the one that pharmacies such as Kmart's would likely use—would be harder for most run-of-the-mill armed robbers to access than a consumer backup system, it would not likely be that difficult to extract much of the content. A hex dump utility could likely extract much of that content, which is why strong encryption (heck, in this case, any encryption would have been nice) is critical when dealing with sensitive data. A well-built safe is only protection until a hoodlum shows up with a poorly built gun. (The only way to stop a bad guy with a gun is a good guy with a 256-bit encryption key.)