Dude, Where's My Laptop?

By Ray Everett-Church

July 17, 2006

If may seem as if there is more data theft today than ever, but impressions -- and high-profile media coverage -- can be deceiving.

Almost every day the news media reports yet another laptop or backup tape has been reported missing or stolen, along with the personal information of thousands or millions of citizens whose deepest personal secrets were stored on the missing item.

Is it a crime spree of unprecedented proportions? Should we head for the hills?

No, it’s just another lousy day in a country that loves to “talk the talk” on privacy, but when called upon to “walk the walk,” needs binoculars, a compass, and three Tibetan Sherpas just to locate our shoes.

Despite the cavalcade of bad privacy news in the media these days, most indications are that the rate of laptops going missing today is no higher than it ever has been. What we’re seeing now is instead an increase in the amount of information about these thefts that’s actually making it into the public eye.

The reason why we’re hearing so much more about data theft is because of a growing number of laws that require consumers to be notified when something bad happens to their private information.

It has been almost three years since the brave members of the California legislature stood up to fierce high-tech industry lobbying and passed a law requiring businesses to notify consumers whenever their data falls into the hands of unauthorized persons. Since then, millions of consumers have been alerted to their increased risk and have had an opportunity to step up their watchfulness.

Following on the success of the California law, many other states have passed similar laws, some even going so far as to require government agencies to follow the same notification procedures in the event of security breaches.

Unwarranted Fear

According to industry lobbyists, however, the notice requirements haven’t prevented a single identity theft from occurring. Instead, they say the information has caused more unwarranted fear among consumers who used to be blissfully unaware when companies did boneheaded things with their data.

One cannot deny, however, that the security breach notification laws in California and elsewhere have indeed upped the stakes for businesses and posed some significant challenges for thoughtful IT executives. While some IT people have themselves enjoyed years of being blissfully unfazed by wayward backup tapes, a cracked database, or a missing laptop, incidents that used to be merely annoying have turned into major corporate catastrophes.

Unfortunately the knee-jerk solution advocated by some pro-business lobbyists -– repeal those pesky notice laws -– is akin to shooting the messenger and completely misses the point.

Data losses are not only a disaster for the businesses that are now forced to fess up to their inadequacies, they are a kind of a cancer growing on consumer confidence. With consumer concerns for privacy at an all-time high, and the rate of identity theft skyrocketing, companies need to move data security to the front burner.

One incident from a few months ago provides a great example of where today’s thinking (or lack thereof) really is.

In May, news broke that the document storage firm Iron Mountain had misplaced backup tapes containing personnel records of some 600,000 current and former employees of Time Warner Inc. In acknowledging the loss, Iron Mountain advised its clients that they really should be encrypting the backup tapes anyway.

While Iron Mountain’s advice doesn’t help protect the data that’s already gone missing, it is certainly sound advice.

Why isn’t encryption more common? In the not so distant past, the additional computing overhead required by encrypting an active database could be pretty significant. And that’s assuming your company’s archaic and decrepit legacy database infrastructure could even support encryption.

Encryption and Other Solutions

With computing power so much cheaper than it used to be, including the availability of specialized cryptographic processing cards designed for high capacity and high availability servers, the cost of encryption ain’t what it used to be! Moreover, with the costs and risks of data spills becoming greater every day, the transition to encryption makes more sense than ever.

However, encryption is only part of the solution. Enterprises also need to look again at the cost/benefit analysis of letting employees take sensitive data with them on a laptop. If critical files happen to be encrypted, that can also help protect data if the laptop is stolen. But if the sensitive data isn’t there in the first place, the risks drop dramatically.

Yes, productivity can increase when employees are able to ignore their families and work from home on nights and weekends, but security officers need to think about which employees have access to data that shouldn’t be leaving the office under any circumstances. Then those decisions need to be turned into policies enforced both through employee education and, whenever possible, through technological measures.

A cursory look through the marketplace shows that there are some interesting software products on the market that enable IT departments to deploy stronger encryption and authentication to their “road warrior” workforce. As risks increase, I expect there will be a booming market in these kinds of solutions.

Even as the means to better secure data are becoming more available, the ability of some executives to white-wash problems remains state-of-the-art.

For example, in a public “Dear Colleague” letter following news of the box that fell off the back of the Iron Mountain truck, Time Warner’s company’s chief security officer sounded a hopeful note:

“To date, the investigation has not found any evidence that the tapes or their contents have been accessed or misused. In addition, the information on the tapes is in a form that is not easily accessed.”

Scuttlebutt from a friend of mine inside Time Warner says that executives further explained to employees how difficult it would be for some random person to make use of the tapes because of their unique design. They further explained it by comparing the tape cartridge format to that of an eight-track cassette.

I was taught that security through obscurity was usually a bad idea, but I guess that as long as those tapes aren’t found by an identity thief who drives a 1971 Chevelle with an aftermarket Radio Shack stereo, then everything’s cool, right?

For many years, executives have “talked the talk” of protecting critical corporate data, including sensitive consumer information. But as we have begun to see, a lot of companies seem to have been unable or unwilling to “walk the walk,” much to the anger and frustration of lawmakers and consumers.

I think the time has come for IT and security professionals to look more deeply at broader deployment of encryption and to rethink the wisdom of equipping workforces with unhardened laptops.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.