The news that nearly 200,000 Hewlett-Packard (HP) employees were at risk of identity theft after a laptop containing their data was stolen from a Fidelity Investments office is the latest example of a new trend in data breaches.
In recent months, there have been several high-profile incidents of laptops containing unsecured personal data -- including names, addresses, Social Security numbers, and financial information -- disappearing from business offices, homes, and cars all over America.
• In Dec. 2005, Ford Motor Company lost a laptop containing information on 70,000 of its workers.
• January 2006 saw the disappearance of a laptop containing data on 215,000 Ameriprise customers and advisors from a car.
• The Providence Health Care hospital system revealed in Feb. 2006 that a laptop containing data on thousands of its patients had been stolen in Dec. 2005.
• Also in February, an auditor from financial services firm Deloitte & Touche left a laptop containing data on employees of the McAfee software security company in an airplane seat pocket.
• And just this month, two laptops containing data on Verizon employees wandered off from one of the company's office buildings.
All of these thefts have attributes in common.
The investigating authorities insist the thefts were for the laptops themselves, not for the data within them. Details are scarce, because of the ongoing investigations.
There are significant spans of time between the discovery of the theft and notification of the affected individuals, much less the media and the public.
And the best -- indeed, only -- protection the potentially endangered workers, patients, and consumers can hope for is free credit monitoring from one of the major credit bureaus.
Recent studies have shown that as consumers become more savvy about detecting and preventing online identity theft and fraud, offline theft is still the biggest source of data loss and information endangerment for Americans. This can just as easily include missing laptops as it can shredded credit card statements, bills tossed in the garbage, or misplaced wallets.
Company security analysts need to be asking why employees are taking incredibly detailed personal information about other employees and customers from secured, on-site networks, and storing it on easily accessible laptop computers, often with little or nothing in the way of security protection.
In the case of the HP/Fidelity theft, the data was being held on a laptop for a specific meeting, and according to Fidelity spokespersons, the storage of personal information on laptops isn't "normally company policy."
Fidelity spokeswoman Anne Crowley said that the company "[limits] significantly the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants," according to an article in eweek.com.
The HP/Fidelity theft also brings up the point of third parties having access to sensitive company data.
Contracting tasks such as accounting, auditing, and oversight to third party companies is often necessary in the post-Enron world, but without proper security, it can lead to financial and public damage that's just as ruinous for just as many people.
Even though the hype and hysteria over identity theft often outweighs actual statistics on the losses, it's still a serious concern for millions of Americans.
Just as businesses are paying increasingly high fines and settlements over cases of data loss, there needs to be a "sea change" in how companies handle data that's entrusted to them.
Until big business starts taking data security more seriously, one missing laptop can spell years of danger for thousands of employees or customers.
On A Personal Level
While there's not much individual consumers can do about careless handling of their data by corporate interests, it's worth taking a few minutes to consider whether the loss or theft of your laptop would endanger your vital personal and financial data.
Laptops can come to grief in two ways: they can fail or be irretrievably damaged and they can be stolen.
If you drop your laptop in front of a subway train or your spouse backs over it with the Expedition, any data you have stored on it is most likely gone for good. The solution to this is pretty simple: keep a backup.
If you have a home network, it's simple enough to back up your personal data once a week or so. If not, you can burn a weekly CD or plug in a simple memory stick.
It's a little scarier to think of your laptop disappearing from your hotel room or from the security checkpoint at the airport. Beyond the simple loss of the data stored on your hard drive, you face the possibility that someone else will soon have access to, among other things:
• your online bank account;
• your online brokerage account;
• the list of passwords you store in Word or Excel;
• your name, address, telephone number and e-mail address;
• all of your e-mail correspondence; and
• your Quicken, Money or other personal accounting data.
Scary? Indeed it is. There are a number of steps you can take to protect yourself. The best, of course, is to encrypt your hard drive so that nothing on it can be read by anyone who does not have the appropriate password.
The security built into your Windows program won't do the trick. While you may have set up a password that prevents strangers from easily logging onto your machine, the sad fact is that the data on the hard drive is easily accessible to anyone with a little technical knowledge.
There are any number of programs available that will encrypt your data so that no one except the most knowledgeable thief can get at it. PGP is one of the better-known and trusted programs. Google "laptop encryption" to find plenty of others.
Some programs go a step farther. In addition to encrypting the data, these programs will notify you via email when your stolen laptop goes online, supplying the network address the thief is using. This may or may not help you recover your machine, depending on whether you can interest the police. Cops in some jurisdictions take data theft seriously; others yawn politely and return to murder and mayhem.
There's another solution, of course: don't keep any data on your laptop that could be damaging if lost. If you do, at least put it all in a single subdirectory. When you travel, simply cut and past the data onto a memory stick or other device.
However, keep in mind that many laptop thefts occur in the office and even the home. You may come back from a quick trip to the coffee machine to find your laptop missing some day. To prevent this, you can buy small security straps that will lash your laptop to your desk, fireplace or pit bull.
But keeping your laptop lashed down sort of defeats the whole idea of having a portable, doesn't it? In the long run, it's a lot less trouble to take a few minutes to install a good encryption program.
Like your integrity, you only have to lose your laptop once to suffer irreparable harm.