A month later an advisor from ING U.S Financial Services, which administers pensions, had a laptop stolen from his home, carrying the social security numbers and other records of 13,000 Washington municipal employees.
The question is, why is so much personal information allowed on laptops? Companies may wring their hands and wonder how they should encrypt the data better, but how about not letting it out of the office in the first place?
"It's pure laziness. There is no excuse, or good business reason for it," says Avivah Litan, a security analyst with Gartner.
Litan advises that organisations keep sensitive information only on secure centralised servers. Workers should be able to access this remotely, but only via private internet connections and should not be able to transfer the data to remote devices.
If people really do need to analyse data away from the office, Litan advises using programmes that replace live credit card or Social Security numbers with dummy data, as the actual numbers are not always relevant.
In the case of ING, employees carrying data out of the office on laptops are supposed to use encryption software. However, now the company is thinking of tightening its rules to prohibit sensitive data leaving its offices at all, even if it is encrypted.
Improvements in broadband and secure web-based services make it increasingly unnecessary for employees to store data remotely, and companies could also avoid the extra cost of ensuring that back office files and mobile data are in sync.
Many wonder why companies are less protective of customer data than they are about other sensitive information, such as market intelligence or product designs.
However, changing habits is hard. Many employees are encouraged to take data with them to make the most of time spent travelling, or in meetings with clients. Also, even if employees are not technically allowed to leave the building with data, the explosion in personal devices like iPods and removable hard drives makes it easy for people to take information with them if they are determined to do so.
One solution might be to use software that automatically shreds data if a laptop is lost or stolen. The self-destruct mechanism activates if the laptop has not logged into the office network for a while, or if a thief tries to connect the machine to another network.
Source: Don't let that laptop out of the door
International Herald Tribune, July 12 2006
Review by James Curtis