This story appeared on Network World at

http://www.networkworld.com/columnists/2006/061206bradner.html

 

Laptop security: Do companies care?

 

'Net Insider 

 

By Scott Bradner, Network World, 06/12/06

 

Over the past few months there has been an unremitting drumbeat of news stories about vast amounts of data being lost when corporate laptops are stolen. In almost all these cases, the data on the laptop was not encrypted, but that is not the real problem.

 

Google gets 8.2 million hits for the search "laptop+stolen" and Google News gets 1,700. Some hits point to software or devices to protect laptops against theft or to track them when they're stolen. Too many, however, are about laptops being stolen; far too often those laptops contain confidential information on thousands of people.

 

The latest example comes from Ernst & Young, which had a laptop stuffed with information about more than 240,000 Hotels.com users stolen. Apparently, this happened awhile back, but Ernst & Young did not have the honesty to admit its stupidity publicly until The Register started nosing around.

 

This is not the only laptop Ernst & Young has let slip through its fingers this year. Earlier, four company laptops were stolen from a conference room while the auditors who were supposed to protect them were off at lunch.

 

That happened shortly after another employee managed to lose his laptop containing the Social Security numbers of some customers' employees. Ernst & Young refuses to say how many people were threatened by that loss.

 

Ernst & Young is hardly alone in its zeal to expose others' confidential information, then not fess up. There is the marvy case of the Department of Veterans Affairs employee who for years had been taking home disks full of Social Security numbers and other information on veterans (26 million, as it turned out). It took the department weeks to break the news when the data finally was stolen.

 

Other recent examples include a Fidelity laptop with Social Security numbers and other data for about 200,000 HP employees and a Wells Fargo laptop with information on "a relatively small percentage" of Wells Fargo's millions of customers. (Apparently, Wells Fargo, like Ernst & Young, thinks providing incomplete information is not the same thing as lying.)

 

These cases are stupid. Doesn't anyone at these companies read the stories in the papers about the problem of stolen laptops? The problem is best described by Ernst & Young on its Web page on information security: "However, organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business.". Ernst & Young seems to be a perfect example of what it was talking about.

 

The problem isn't that these laptops were not using encryption (the press is reporting that all Ernst & Young laptops are now belatedly using encryption). The real problem is having Social Security and credit card numbers on laptops in the first place.

 

I see no possible reason for an auditor such as Ernst & Young to ever have Social Security or credit card numbers on a laptop. In any reasonable society this would be illegal - but don't hold your breath for that to happen in the United States. Note that good security practice is to assume that any laptop will be (not "may be") stolen. A cryptographic hash of the Social Security or credit card number can be used if a unique identifier is needed.

 

Until people begin to understand that employees should have only the confidential data they need at any particular time, rather than by default having all the data the company has, we will keep seeing these headlines about more people acting with abject stupidity.

 

Disclaimer: Harvard, as far as I know, does not teach abject stupidity, so the above rant is mine, not the university's.