Normandeau Associates, an environmental consulting firm based in New Hampshire, notified the New Hampshire Attorney General of the theft of a laptop with an encrypted employee database. The theft occurred in 2008, and the laptop was recovered in February 2009, but Normandeau did not learn of the problem until June 2009, at which point they notified 277 employees in New Hampshire. As they explain (pdf):
In June, 2009, Normandeau learned that one of its laptop computers had been stolen from the home of a Normandeau employee in November, 2008, and later returned in February, 2009. The password protected laptop contained an encrypted employee database with personal information, including names, social security numbers, and bank account numbers of past and present Normandeau employees. The perpetrator required specific computer software to access the encrypted database in its existing fonnat on the laptop, and it is unknown if access was actually made.
The local police were notified about the theft and Normandeau conducted an internal investigation. Nonnandeau also consulted with a computer forensic analyst, but was unable to detennine if unauthorized access to the database actually occurred. There is no evidence of misuse of the personal information.
Normandeau has policies that prohibit personal information from being downloaded onto its laptop computers. In this instance, the database was temporarily stored on the laptop during restorative maintenance to the company’s network, and contrary to company policy, not thereafter removed. The company took action against the responsible person for unintentionally failing to remove the database containing the personal information as required by company policy. No further precautionary actions were required to prevent similar breaches.