McAfee Helps the State of South Carolina Protect Confidential Data for Over 32,000 Offenders

The South Carolina Department of Probation, Parole and Pardon Services supervises offenders placed on probation by the court and paroled by the State Board of Paroles and Pardons, as well as those on Youthful Offender Release from the South Carolina Department of Corrections. The department employs various community sanctions to support supervision and help ensure that parolees meet the conditions of parole. “We have data on over 32,000 offenders, plus incredibly sensitive victim services data,” explains David O’Berry, director of information systems and services. “A data breach can have very serious consequences, including threats to public safety, re-victimization of individuals, and so forth. With that in mind, we treat all data as sacred.”

The department has been a McAfee customer since 1998, having deployed most of the company’s core anti-spyware, anti-virus, and network security products over the years. Its move to McAfee Endpoint Encryption signaled a desire to increase protection of sensitive data in advance of South Carolina’s Consumer Protection Act, which takes effect on December 31, 2008, with additional provisions to be in force by July 1, 2009.

A mobile workforce raises the security stakes
The department has employed full-disk encryption for nearly three years, but, as its workforce became more mobile, the importance of endpoint encryption increased. “Our workforce is about 800 people and we’re 95 percent mobile now,” notes O’Berry. “All our agents have convertible tablets. As an organization, we’re spread over 56 locations. We also support officers in 46 courtrooms and anywhere else they can get connectivity.”

By adopting encryption technology before South Carolina enforced a data breach law, the department was ahead of the curve. “We wanted to protect victim data no matter what,” O’Berry continues. “And we knew that raising data protection awareness within the business units was going to take awhile. But with encryption, if a tablet was lost, everything was completely secured. And to the best of our knowledge, we’ve had no breaches of unencrypted data.”

Prior to the purchase of McAfee Endpoint Encryption, the department tried three other encryption products. O’Berry had his eye on SafeBoot before McAfee acquired the company. “SafeBoot was very solid even before McAfee bought them,” O’Berry says. “And it had great references. We liked the technology, especially its strong management and compliance features. We tested for a month and were very satisfied. Plus, McAfee products are much more forgiving in terms of installation than our previous product. In fact, it’s taken more time to remove the old product than to install the McAfee software. That’s been the biggest hurdle by far.”

Although not a driver at the time of purchase, McAfee Endpoint Encryption’s integration with McAfee ePolicy Orchestrator (ePO) soon paid off. “Deploying Endpoint Encryption now that McAfee and SafeBoot have merged gives us the added benefit of simplified management,” O’Berry says. “After awhile you end up with so many management pieces, it weighs on you operationally. You’re going to end up missing something. It’s death by console. At this point though, we now know what was encrypted and when from a single pane of glass.”

O’Berry is also keenly aware that attack vectors — the paths by which a hacker can access a computer or network—have grown enormously. That, coupled with the proliferation of user-based content creation, has increased the cost of auditing and maintaining compliance for a mobile workforce. In turn, that additional cost degrades the agency’s business operating efficiency (BOE) and personal productivity savings (PPS) for users. “This is a critical balancing act,” notes O’Berry. “IT operating efficiency can be allowed to fall off somewhat to boost overall BOE. But it can’t bottom out or the value is lost. Our move to McAfee has helped us keep those factors in synch.”

Bottom line: the ability to manage McAfee Endpoint Encryption and the agency’s other McAfee products through a single console make it possible to leverage the efficiencies of a mobile workforce. “The savings are almost incalculable,” O’Berry emphasizes. “The protection keeps us from having to feel the pain of a breach or unintentional data loss. It’s elevated the suite from just software to an enabler. And that’s what progressive IT shops are looking for.”

"McAfee lets me sleep at night. My workforce could not be truly mobile without the security products we’ve put in place."

David O’Berry
Director of Information Systems and Services, State of South Carolina Department of Probation, Parole and Pardon Services

New data breach laws carry stiff penalties
The Consumer Protection Act, South Carolina’s first data breach law, stipulates that an organization that fails to notify its members or customers of a data breach may be subject to a fine of $1,000 per citizen for each lost record. “The law does not provide immunity from lawsuits for state government,” says O’Berry. “So that number could be pretty scary. Plus, there’s the area of liability for pain and suffering after a breach and lawsuits related to that — court costs, and so on. But as long as you can prove beyond a shadow of a doubt that the data was encrypted, you will not be liable for a breach if laptops or mobile devices are lost or stolen. And proving it — that’s where ePO comes in.”

O’Berry knows firsthand the impact a data breach can have. “I was the victim of a data breach with an online broker,” O’Berry confides. “And you would not believe what it took for me to strong-arm them into giving me some kind of protection for that. Going forward, organizations are going to need to know that all their data is encrypted because somebody within their system — some customer of theirs — is going to be breached by somebody. For us, victim information could become a big issue, especially with the potential of civil penalties.”

McAfee delivers peace of mind
“McAfee lets me sleep at night,” O’Berry acknowledges. “My workforce could not be truly mobile without the security products we’ve put in place. I don’t have to worry at the end of every day, ‘Did all 800 people secure their laptops?’”

O’Berry takes the big-picture view of encryption as one building block of a safe digital ecosystem. But, ultimately, more and better information is what keeps the good guys ahead of the bad guys. “The more relevant information I have off my network, the better,” says O’Berry. “Then I don’t have to worry that I’m on an attack vector for someone, somewhere — that I am blind because my visibility is crippled.”

O’Berry also believes that security vendors and customers who approach their relationship as partners will enjoy the most success over the long-term. “We don’t need to have vendors leading us around,” concludes O’Berry. “It needs to be a 50-50 partnership. We need to clearly express our business needs, help the vendors create that, provide feedback at every juncture, and then plug the fruits of that combined effort into a flexible, agile, standards based architecture that’s going to make everybody safer. Going forward, you won’t be able to fight the hoard by yourself all the time.”

State of South Carolina Department of Probation, Parole and Pardon Services

Customer profile

The South Carolina Department of Probation, Parole and Pardon Services supervises offenders placed on probation by the court and paroled by the State Board of Paroles and Pardons

Industry

State government, law enforcement

IT environment

The department maintains a 56-site Frame Relay/ATM Broadband network, and supports remote officers in 46 courtrooms and 800 mobile users in the field using a variety of non-traditional connection methods

Challenges

With a highly mobile workforce, the department needed reliable endpoint encryption with simplified management and reporting

McAfee solution

McAfee Endpoint Encryption and McAfee ePolicy Orchestrator (ePO) safeguard victim data and offender data for 32,000 offenders

Results

  • Delivers endpoint encryption to 800 mobile endpoints
  • Safeguards data for more than 32,000 offenders
  • Simplifies management and reporting
  • Eliminates “death by console”
  • Enables compliance with new data breach laws