How Bright Are Laptop Snatchers?

Carl Weinschenk

Our first reaction upon hearing that another laptop loaded with sensitive information had disappeared -- in this case, from GE -- was resignation.


In this case, about 50,000 employees' private data may have been compromised, according to reports. At least the device was taken from a locked hotel room, not an unattended table at an airport lounge.


After shaking our heads, we read the comment by a vice president at Protegrity. We don't want to pick on the guy because, as reporters, we're aware that snippets of an interview taken out of context can make a serious quote seem funny or flippant.


The problem is that what the analyst says probably is true.


He was commenting that the recent rash of lost or stolen laptops hasn't led to an increase in online criminal behavior. The wording surrounding the quote is a bit confusing, but the Protegrity VP suggests that people smart enough to want to use the data on the machine also are smart enough to know that there are easier ways to get it than breaking into a hotel room.


So the good news is that people ripping off laptops are run-of-the-mill thugs.


This is a very dangerous line of thought, however. Anything that provides companies with a rationale for not doing the difficult job of encrypting data and enforcing other mobile device policies is a bad thing.


It's a slippery slope: If the thieves are garden variety punks, why go to the trouble and expense of protecting the data?


The Protegrity exec may be entirely correct. But enterprises must assume that any data that leaves the enterprise -- either on laptops, in the air or on cables -- will be exploited to its fullest if it ends up in the wrong hands.

Add Comment      Leave a comment on this blog post
Sep 29, 2006 3:08 AM Cam Roberson Cam Roberson  says:
It is dangerous indeed to believe that because a laptop was lifted by a thug with ideas of a quick and profitable turn on his "investment", that the data is not at risk. Experts tell us that 600,000 laptops are stolen every year and that only 3% are ever returned. Do the math - 580,000+ of these systems (each year) are gone - forever! Think these computers are not sold to a second, third or fourth party? Come on. Many of these computers will find their way into domestic and foreign black markets. Since the data value of thousands -or hundreds of thousands of personal records - far outweigh the value of its hardware host, do you think this CEO is still comfortable telling his customers and shareholders not to worry. Data on these computers live forever.  Even encrypted data lives forever. And since there's no expiration dates on names and Social Security numbers, criminals may not be in a hurry to mine the data now. Heck, they could even wait years, deferring to when technology advancements and computing power is capable of exposing vulnerabilities that we today think are rock-solid-secure.I'm sure by now you see it coming... a shameless plug for my company. And here it is – I’ll be brief. Lost Data Destruction from Beachhead Solutions encrypts and destroys data on a lost or stolen PC. It is effective with and without an internet connection.  There are many good laptop security products on the marketplace and it confounds me that there appears to be this ambivalence on the part of American business to the value of the consumers personal identity information. Wonder if they'd be so flippant if it was their personal and financial information on a stolen laptop?   Reply
Oct 4, 2006 11:50 AM Mark Bower Mark Bower  says:
Irrespective of the perspectives given, the bottom line is that there are enacted laws with specific requirements to publicly disclose the breach and to notify affected persons when unprotected data is released. California's far reaching SB1386 is a good example, but other regulations such as GLBA and various state regulations also have similar provisions. The only way to avoid this disclosure requirement and the high associated process costs is to encrypt the data in accordance with the laws where it is an explicit requirement, or to achieve best practice status using guidelines that map to the regulations as advised by a corporations legal and compliance advisors. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.