Why stolen laptops still cause data breaches, and what's being done to stop them
Every time a stolen laptop leads to a data breach, you wonder why the business involved hadn’t set up any safeguards. When the unencrypted laptop was stolen from a former physician at the University of Oklahoma, for instance, or when a laptop was stolen from insurance provider Oregon Health Co-op containing data on 15,000 members.
You’d think money would motivate them, if nothing else. In November, EMC and Hartford Hospital were ordered to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop in 2012 containing data on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.
The problem extends far beyond the healthcare industry, too—such as the laptop stolen from SterlingBackCheck, a New York-based background screening service. The laptop contained data on 100,000 people.
These types of breaches don’t quite grab the same headlines as major cybercrimes and hacking incidents, if only because a thousand employees affected by a laptop theft is less dramatic than 40 million customers at Target. But it’s a lot easier to steal a laptop than it is to hack into a corporate database, so the theft and loss of laptops, as well as desktops and flash drives, highlight the need for enhanced physical security and employee training.
It’s easier to steal a laptop than to hack a database
The organizations mentioned here have wised up. A spokesperson for the University of Oklahoma said it has launched an encryption program and new training for employees when it comes to handling sensitive data.
SterlingBackCheck said it has updated its encryption and audit procedures, revised its equipment custody protocols, retrained employees on privacy and data security, and installed remote-wipe software on portable devices.
Another threat to your data is the proliferation of Bring You Own Device (BYOD) policies and mobile workers. Gartner anticipates that half of all companies will have some need for a BYOD policy by 2017. Workers will be using their own devices as well as company-issued ones in the office or on the go. This opens up a new risk if devices are lost or stolen.
Security firms like Sophos urge companies to put a robust policy in place for the handling of professional devices, including full disk encryption as well as encrypted cloud and removable media. A strong password is highly recommended too, but it’s not enough on its own.
A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the physician had actually left his position at the university before his personal laptop went missing. He couldn’t say for sure whether it contained sensitive data, but by the time that possibility arose, it was too late.
In another incident, at manufacturer Tremco, an employee lost a company-issued laptop on a plane. It was several weeks before the employee realized that it contained spreadsheets of personal employee data.
Encryption, remote wiping, better data tracking
Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically.
This highlights the need for remote wiping tools, which SterlingBackCheck has put in place. If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.
Much like large-scale hacking attacks, it’s the consumer or the patient that really suffers when a data breach occurs. The onus lies with the company to handle this data responsibly, whether it’s in the cloud or on a laptop on the bus.