Dude, Where's My Laptop?
July 17, 2006
If may seem as if there is more data theft today than ever, but impressions -- and high-profile media coverage -- can be deceiving.
Is it a crime spree of unprecedented proportions? Should we head for the hills?
No, its just another lousy day in a country that loves to talk the talk on privacy, but when called upon to walk the walk, needs binoculars, a compass, and three Tibetan Sherpas just to locate our shoes.
Despite the cavalcade of bad privacy news in the media these days, most indications are that the rate of laptops going missing today is no higher than it ever has been. What were seeing now is instead an increase in the amount of information about these thefts thats actually making it into the public eye.
It has been almost three years since the brave members of the California legislature stood up to fierce high-tech industry lobbying and passed a law requiring businesses to notify consumers whenever their data falls into the hands of unauthorized persons. Since then, millions of consumers have been alerted to their increased risk and have had an opportunity to step up their watchfulness.
Following on the success of the California law, many other states have passed similar laws, some even going so far as to require government agencies to follow the same notification procedures in the event of security breaches.
According to industry lobbyists, however, the notice requirements havent prevented a single identity theft from occurring. Instead, they say the information has caused more unwarranted fear among consumers who used to be blissfully unaware when companies did boneheaded things with their data.
One cannot deny, however, that the security breach notification laws in California and elsewhere have indeed upped the stakes for businesses and posed some significant challenges for thoughtful IT executives. While some IT people have themselves enjoyed years of being blissfully unfazed by wayward backup tapes, a cracked database, or a missing laptop, incidents that used to be merely annoying have turned into major corporate catastrophes.
Unfortunately the knee-jerk solution advocated by some pro-business lobbyists - repeal those pesky notice laws - is akin to shooting the messenger and completely misses the point.
Data losses are not only a disaster for the businesses that are now forced to fess up to their inadequacies, they are a kind of a cancer growing on consumer confidence. With consumer concerns for privacy at an all-time high, and the rate of identity theft skyrocketing, companies need to move data security to the front burner.
One incident from a few months ago provides a great example of where todays thinking (or lack thereof) really is.
In May, news broke that the document storage firm Iron Mountain had misplaced backup tapes containing personnel records of some 600,000 current and former employees of Time Warner Inc. In acknowledging the loss, Iron Mountain advised its clients that they really should be encrypting the backup tapes anyway.
While Iron Mountains advice doesnt help protect the data thats already gone missing, it is certainly sound advice.
Why isnt encryption more common? In the not so distant past, the additional computing overhead required by encrypting an active database could be pretty significant. And thats assuming your companys archaic and decrepit legacy database infrastructure could even support encryption.
Encryption and Other Solutions
With computing power so much cheaper than it used to be, including the availability of specialized cryptographic processing cards designed for high capacity and high availability servers, the cost of encryption aint what it used to be! Moreover, with the costs and risks of data spills becoming greater every day, the transition to encryption makes more sense than ever.
However, encryption is only part of the solution. Enterprises also need to look again at the cost/benefit analysis of letting employees take sensitive data with them on a laptop. If critical files happen to be encrypted, that can also help protect data if the laptop is stolen. But if the sensitive data isnt there in the first place, the risks drop dramatically.
Yes, productivity can increase when employees are able to ignore their families and work from home on nights and weekends, but security officers need to think about which employees have access to data that shouldnt be leaving the office under any circumstances. Then those decisions need to be turned into policies enforced both through employee education and, whenever possible, through technological measures.
A cursory look through the marketplace shows that there are some interesting software products on the market that enable IT departments to deploy stronger encryption and authentication to their road warrior workforce. As risks increase, I expect there will be a booming market in these kinds of solutions.
Even as the means to better secure data are becoming more available, the ability of some executives to white-wash problems remains state-of-the-art.
For example, in a public Dear Colleague letter following news of the box that fell off the back of the Iron Mountain truck, Time Warners companys chief security officer sounded a hopeful note:
To date, the investigation has not found any evidence that the tapes or their contents have been accessed or misused. In addition, the information on the tapes is in a form that is not easily accessed.
Scuttlebutt from a friend of mine inside Time Warner says that executives further explained to employees how difficult it would be for some random person to make use of the tapes because of their unique design. They further explained it by comparing the tape cartridge format to that of an eight-track cassette.
I was taught that security through obscurity was usually a bad idea, but I guess that as long as those tapes arent found by an identity thief who drives a 1971 Chevelle with an aftermarket Radio Shack stereo, then everythings cool, right?
For many years, executives have talked the talk of protecting critical corporate data, including sensitive consumer information. But as we have begun to see, a lot of companies seem to have been unable or unwilling to walk the walk, much to the anger and frustration of lawmakers and consumers.
I think the time has come for IT and security professionals to look more deeply at broader deployment of encryption and to rethink the wisdom of equipping workforces with unhardened laptops.