Print

Email story

Comment

Email editor

Why store it on a laptop?

Recent thefts have many experts scratching their heads over why companies let staffers take sensitive data out of the office on computers.

By ASSOCIATED PRESS
Published July 31, 2006

BOSTON - Every month seems to bring another episode of sensitive personal information escaping into the wild because a corporate or government laptop computer is lost or stolen. A common response is a lot of hand-wringing over how the data should have been encrypted.

But some key questions usually go unanswered. Why is so much private data allowed to be on laptops? What do people do all day that compels them to tote around records on, say, 26-million Americans, the staggering number seen in the recent Veterans Affairs case?

"It's pure laziness. There's actually no excuse for it," said Avivah Litan, a security analyst for Gartner Inc. "There's no good business reason for it."

Litan advocates a few simple steps: Organizations should keep sensitive information on secure, centralized servers. Workers can access the data from PCs in the office or over private Internet connections, but can't store the records on their machines to fiddle with them offline.

If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random "dummy" figures whenever possible, since the numbers aren't always relevant.

Following such rules would have prevented the scare that resulted when a laptop with veterans' data was stolen from an analyst's home May 3 (it was later recovered with the information apparently unaccessed). The VA inspector general told Congress the staffer had been bringing data home for policy analysis since 2003.

It's true that encrypting data - scrambling them with private codes - can make whatever is found on a laptop almost impossible to read. But encryption often isn't turned on by users who think it degrades computer performance.

Steve Van Wyk, ING Financial Services' chief information officer, thinks the emergence of ubiquitous broadband connections and secure Web-based business software have made it unnecessary for employees to store private data on portable devices. Not only is that data diaspora a security risk, but it can be costlier for the company to make sure back-office files and mobile data are in sync, he said.

"The ability to control it and protect it may be best if it's centralized," he said. "Why even go through the vulnerability?"

To a large degree, the problem of personal data floating away with laptops stems from companies' tardiness in accepting just how valuable the information is. Otherwise such records would have long been treated like product designs, market intelligence and other business secrets that aren't allowed to leave secure central computers.

But it's not clear this problem will go away.

Many mobile workers want to keep information "locally" on their laptops so they can work efficiently while traveling, meeting with clients or pounding away in other settings where they can't connect to a network. That's why they're often allowed - even encouraged - to take laptops home.

Even if employees technically aren't supposed to walk out the door with computers, many will quietly transfer business files to iPods, "thumb" drives and other capacious storage devices, said Sunil Jain, senior consultant for Sprint Enterprise Mobility Inc., the services arm of Sprint Nextel Corp.

"It's much faster to download the data and then do the reports offline," Jain said. "It's just human nature."

[Last modified July 30, 2006, 22:29:02]