Handling Corporate Laptop Theft Gracefully

Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."

OT: Moderation

[mizhi]

This post is currently moderated as "Flamebait"

WTH are /. moderators smoking?

Conscientious Capitalism

[Doc Ruby]

Capitalists know that PR is cheaper than security. Never trust them.

bad headline

[Anonymous Coward]

This isn't about laptop theft, it's about how the company handled potential identity theft and loss of sensitive data. The hardware is irrelevant.

Re:Encrypt the disks.

[hazem]

If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?

Yes. Because the thief may be able to decrypt the data because they also copied down the password/key that was on a post-it note hidden under the keyboard of the computer. Or they might exploit a flaw in the encryption. Or they manage to socially-engineer access to the key needed to decrypt the data. Or they might have installed a key-logger to get the key and then came back a week later to get the drives too.

Re:Encrypt the disks.

[shawn(at)fsu]

I think you missed the a 3rd scenario.

Do not store sensitive data on a laptop.

Laptop theft? No problemo

[Anonymous Coward]

I handle the possibility of laptop theft by encrypting my /home partition with dm_crypt, and backing up the laptop nightly. If the laptop is stolen, the thieves won't know my passphrase and so they can't get any personal data.

Although the loss of the physical assets would be a nuisance, the laptop itself isn't worth much (under $500) and so I'd just replace it and maybe see if my insurance will pay for it.

Re:Encrypt the disks.

[sgent]

Not an option.

I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed.

Re:Encrypt the disks.

[cmacb]

"I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed."

I know what world you live it. It is the world of video games and powerpoint presentations with cute little pie charts.

In the 60s (the 40s and 50s were before my time) we got access to sensitive data by going to the office, passing an armed guard, signing in and sometimes using several keys or typing in combinations to get into certain rooms. Yes, you could take notebooks (paper ones) and pens and pencils with you in your car. You might also take a printout or so with sensitive data from one place to another, but that was pretty rare. There were telecommunications back then and you could even get to your data over those links, which were a lot more secure than todays WiFi and dial-up.

What changed is that computers became toys, and many of the people using them now know nothing about the underlying technology other than it's easier than using an adding machine. Ninety nine percent of the problem is that the boobs entrusted with these toys didn't take even common sense precautions with the physical security of the devices. Given the mindset of such people, there is zero hope that they would know enough to take the proper electronic precautions.

I maintain that if the data is REALLY important, and that includes all the examples given above, the the proper way to use a laptop is as a dumb terminal with a highly encrypted communications link back to the actual data. Such a link can happen over the Internet, or via a satellite link. There is really no excuse for carrying such data around, in the past, now, or in the future.

Re:Whole Disk Encryption vs. File/Directory

[woolio]

This is because I also do not trust my employer. The notebook is theirs, but not all the data is.

Would your life be a lot simpler if you stored only company data on the company laptop and non-company data on a non-company laptop/storage device???