Last week (7/1/06), the Red Cross reported that a laptop containing thousands of records of blood donors' personal data had been stolen from a locked closet in one of their local offices. They reported that there was no sign of forced entry into the closet. Obviously this implicates someone with a key to the closet. An employee? Janitorial staff?
Bizarrely, the Red Cross spokesman, Darren Irby, said, "We haven't viewed this as a security breach at this point." I guess he is resting comfortably with the idea that because the donor data were "encrypted," that they are safe even on a stolen laptop. Let's just take a moment to remember that there are lots of different types of encryption, some more secure than others, and that all forms of encryption are subject to attack. Further, for the most common kind of file encryption (symmetric key encryption), the security of the data also depends on keeping the "key" (like a password) secret.
A stolen laptop was at the heart of the Veteran's Administration data leak scandal as well. Laptops are wonderful. I have one and I love it. But laptops are a triple threat for security:
1. They hold tons of data. The wimpiest new laptop you can buy generally comes with dozens of gigabytes of data. Which means that users can stash tons of valuable information on them.
2. They are highly portable. A laptop can be concealed in a backpack, a grocery bag, or under your shirt. It is no more difficult to steal a laptop than it is to steal a ream of paper.
3. They are quite valuable on the "stolen products marketplace." That is, they are easy to fence.
Good security polices must specify what employees can do with laptops, where they can do it and when. This includes any personal machines that are permitted to have access to company data. Firms need to work out policies that appropriately balance productivity and security. Most importantly, users need to internalize the idea that loss and theft of laptops is a very common event. TAXI, a trade journal of the taxicab industry, did a survey showing that 4973 laptops were left in London cabs over a period of six months in 2004. That's just one city, in one part of the world, and just one mechanism of loss. As users leave the building with laptops in their briefcase, they should assume that the machines will get stolen, and should prepare and protect their data against this eventuality.