Handling Corporate Laptop Theft Gracefully

Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."

Re:Encrypt the disks.

[MandoSKippy]

While California's SB1386 specifically mentioned encryption as a reason for not having to disclose to customers under that law, other laws do not. Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it. Now, of course I am not a lawyer, nor do I play one on TV, but I know this is a new law (March 16th, 2006) and have any Jurisprudence clarifying this. On the flip side, encrypting the data sure makes the disclosure a lot less painful. I.e. Yes, we had laptops stolen, but all the data was encrypted per our policy and the likelyhood of you data being imporperly used is extremely low. I am currently researching a workstation encryption project, so if anyone (a lawyer perhaps?) has any insight into this stuff, I'd be happy to hear it from the expert.

Handling Secure Data Loss Gracefully

[digitaldc]

Resign with thank you cards, smiles all around and a wonderfully inspiring anecdote about how much you had accomplished in your career up until that day.

Handled Pretty Well

[Wannabe Code Monkey]

I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.

Whole Disk Encryption vs. File/Directory

[MandoSKippy]

So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole disk. Just do it all. Any thoughts?

Re:Encrypt the disks.

[winkydink]

It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?

Encryption? Priceless.

[mythosaz]

I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.

Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).

The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.

Interesting theft

[Anonymous Coward]

Breaking into an office and stealing two hard drives, which contains all that data may point to a sophisticated, targeted hit, maybe using hired pros.

why is computer-theft still an issue?

[schweini]

i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?

Re:Encrypt the disks.

[vertinox]

If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?

A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop. Well... Maybe... If he thinks it was really critical, but chances are he might just format the drive and sell it at pawn shop.

Foreign Intelligence Operation?

[CodeBuster]

There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.

Re:What about external HDs?

[suwain_2]

Given that these external hard-drives are alot easier to pick-up and walk away with

Isn't that exactly why the external hard-drives are more prone ot being stolen?

but rarely, due to training, do we find an unattended hard-drive

If your training works, why not just train them not to leave laptops unattended?

Your post raises another interesting point, though: what if people use internal hard drives, encrypted, but a user brings in their own external drive? That seems like a potential security flaw waiting to happen.

Re:Why store data on latop at all?

[Zemran]

Why not take it further and have 5 locations using VPN and set the physically seperate location up like RAID 5 so no location actually has the data. If any hard drive gets stolen it has a maximum of every 4th chunk of data (4 chunks and a check chunk = 5 locations). A thief would need to break into all locations at the same time to get the data. If one location is broken into the data can still be recovered using the check chunks but the thief cannot recover any data. Encryption can easily be broken but a thief cannot see what he does not have.