There is a danger among reporters, bloggers and other commentators to stop covering something as thoroughly as they did before simply because there is nothing terribly new to say.
This is a mistake. The commentary should only lighten up when the problem does. Indeed, it should increase, since obviously the message isn't getting through. Unfortunately -- and a bit unbelievably -- news still is emerging about the loss of laptops packed with sensitive data.
Last week, as reported in InformationWeek and elsewhere, a machine carrying unencrypted Social Security numbers and other personal information on about 800,000 people who applied for employment on the phone or online with the Gap Inc. in the United States and Puerto Rico was stolen from a third-party vendor. Less sensitive data on Canadian applicants also was on the laptop, the story says.
Gap Inc. stores include Old Navy, Banana Republic, The Gap and outlets.
Even now, there are important questions to keep asking. For instance, is this a failure of policy -- don't the companies prevent people from carrying around sensitive data without encryption? -- or are proper policies usually in place? If they are, do the policies have teeth? Or are the policies good and the penalties stringent for not complying -- but for some reason not everybody is paying attention?
Another series of questions concerns the aftermath of a breakdown in security. How serious is the follow-up to these events, in actuality? Laptops without sensitive data must be lost or stolen. Is the entire question revisited when that happens, or does the business sigh a sigh of corporate relief and carry on as before?
We're sure there are other questions. They all boil down to one thing: Is this really being taken seriously?
The Gap is not the only organization still seeking to get its arms around the seemingly simple task of not losing control of laptops loaded with vital information. The Hartford Courant mentions a couple of recent incidents. In the more fully developed description, a computer specialist for the state of Connecticut was attending a family outing on Long Island, N.Y. He had permission to take the laptop, the column says -- but not the 106,000 Social Security Numbers that disappeared when the machine was stolen. Luckily, this story says that six weeks after the theft, apparently nobody has tried to use the data. The columnist also mentions that bank-account numbers were stolen in Ohio. That incident is better described here.
While many articles aimed at IT folks note legal exposure in passing, this column from the In-House Counsel section of Law.com discusses the issue expressly from that point of view. The author offers interesting insight into what happened in May 2006 when a statistician for the Department of Veterans Affairs had a laptop loaded with 26.5 million names and vital information stolen from his home.
The details were public, but not well known. Among the more startling facts was that the secretary of the department was not notified for almost two weeks. The writer concludes that the delay was due to the absence of written policies and "a lack of urgency" on the part of supervisors. Even giving the VA the benefit of the doubt -- the loss occurred at the front edge of recent sting of high-profile lost laptops -- the lack of attention is unconscionable. Indeed, it might simply be that the loss of electronic data isn't as real to many people as the loss of diamonds, sports cars or other tangible items.
While most of the preventative measures mentioned in this story are familiar, the fact that losses still are piling up means that people are not listening. They therefore bear repetition. This piece at TheStreet.com, which links to an earlier article exploring the importance of mobile-device security policies, discusses some of the key steps in limiting danger to laptops.
- This piece of advice is based on common sense: Delete anything of value from the laptop at the earliest opportunity. If vital data isn't on the hard drive, its loss will become more of an annoyance than a crisis. In this case, annoyance is good.
- Back up the hard drive. This story rightly says that this will replace the lost data. It's important to understand that having a duplicate will tell the organization precisely what has gone missing and, in essence, how much to worry.
- Encrypt. This step will render any data on a machine all but useless to those without the encryption key.
- Use passwords and make sure antivirus and other security software are present and up-to-date.
- Keep your eye on the machine, especially in high-traffic areas such as coffee shops and, as much as possible, when separated from it in airline metal-detection areas.
- Use cables -- with and without alarms -- to tether a device to something immovable in hotel rooms and other areas in which it is a sitting duck. Another physical security tool is LoJack for Laptops which, like its auto namesake, can help track down laptops that have been pilfered.
- Consider installing software that will wipe the hard drive clean if told to remotely by the IT department.
PC World also weighs in on how to keep mobile devices -- it looks at the question more broadly than just laptops -- secure. The keys are to secure the data that truly needs to be protected -- and to opt for encryption if in doubt -- to create a formal organizational security policy (the topic to which TheStreet.com writer dedicated an entire story); train employees and make security easy for them to use.
It appears that things still are lax. This may be so, or it may be that slow progress indeed is being made. Unfortunately, a few lazy employees can put an entire organization in legal and public relations jeopardy.