Handling Corporate Laptop Theft Gracefully 197
Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."
Re:Encrypt the disks. (Score:2, Interesting)
Handling Secure Data Loss Gracefully (Score:3, Interesting)
Handled Pretty Well (Score:4, Interesting)
I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.
Whole Disk Encryption vs. File/Directory (Score:2, Interesting)
Re:Encrypt the disks. (Score:4, Interesting)
Encryption? Priceless. (Score:5, Interesting)
Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).
The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.
Interesting theft (Score:2, Interesting)
why is computer-theft still an issue? (Score:5, Interesting)
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?
Re:Encrypt the disks. (Score:3, Interesting)
A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop. Well... Maybe... If he thinks it was really critical, but chances are he might just format the drive and sell it at pawn shop.
Foreign Intelligence Operation? (Score:5, Interesting)
Re:What about external HDs? (Score:3, Interesting)
Isn't that exactly why the external hard-drives are more prone ot being stolen?
but rarely, due to training, do we find an unattended hard-drive
If your training works, why not just train them not to leave laptops unattended?
Your post raises another interesting point, though: what if people use internal hard drives, encrypted, but a user brings in their own external drive? That seems like a potential security flaw waiting to happen.
Re:Why store data on latop at all? (Score:5, Interesting)