If the "don't want to end up on the front page of The Wall Street Journal" syndrome isn't enough to motivate chief information security officers to encrypt laptops, how about the fear of getting fired?
Pedro Cadenas Jr., former CISO of the U.S. Department of Veterans Affairs, probably wasn't the first to lose his job in the wake of a data breach, but his firing this summer was perhaps the most high-profile. It's not so hard to fathom, given how laptop data losses have mounted this year. About 90 percent of the lost personal data in the first half of 2006 was taken physically-tapes, records and computer gear-and stolen laptops accounted for nearly three-quarters of those physically lost records, according to an analysis of data from the Privacy Rights Clearinghouse by emailbattles.com.
To be fair, people lose things; personal items do get stolen; and something as valuable and portable as a laptop will always be a target of thieves, no matter what's on the hard drive. But what frustrates consumer advocates is the lack of a basic safeguard to make the data useless to the thieves: encryption. Paul Stephens, a policy analyst at the Privacy Rights Clearinghouse, says "encryption software is inexpensive, and some shareware is free. Not using it borders on negligence."
When it comes to data insecurity, the U.S. government has been the chief culprit, with problems at the Department of Veterans Affairs, the IRS, the Navy, the Department of Agriculture and the Federal Trade Commission. After the VA snafu, the Office of Management and Budget recommended that all federal agencies encrypt data on mobile devices and use two-factor authentication when remote access is allowed.
Specifically, the recommendations from the Office of Management and Budget in late June were that, within 45 days, federal agencies encrypt all data on mobile devices and use two-factor authentication in instances in which remote access is allowed. To be excused from the encryption mandate, agencies must get written permission from their Deputy Secretary that the data is non-sensitive. Further, the required two-factor authentication must come from a device separate from the computer being authenticated. In other words, approaches that involve using IP intelligence, geolocation, keystroke analysis and other hidden approaches to two-factor authentication aren't considered adequate.
While it's a good rule, agencies are finding that responding to such recommendations quickly is problematic. And it has yet to prevent the problem. In August, the VA found itself struggling with yet another data dump, this time with another contractor reporting a missing laptop containing information on 38,000 vets. On the bright side, it was revealed that the stolen-then-recovered, 26 million-record laptop that caused heads to roll at VA was stolen by three Maryland teenagers who had no idea what was on the drive. Another person returned the laptop to collect a $50,000 reward. Two of the teens face burglary charges; charges are pending against the third, a juvenile.
The feds are not the only ones with data-loss woes. Financial institutions inadvertently leaked 1.9 million Social Security numbers in the first half on 2006, according to data analysis from the Privacy Rights Clearinghouse. In June, for instance, a laptop computer containing the unencrypted Social Security numbers of 13,000 District of Columbia employees and retirees was stolen from the home of an employee of ING U.S. Financial Services, which administers the district's retirement plan. So much for learning from one's mistakes: That theft followed one in December, in which two ING laptops-containing information on 8,500 Florida hospital workers-were clipped. ING spokeswoman Caroline Campbell says the D.C. employee was not following company policy and the institution is "aggressively moving forward with a comprehensive confirmation process that all of our laptops meet our encryption and password-protection-policy requirements."
Still, D.C. city officials say they are disturbed about how the data was stored, and Stephens wonders about the risk institutions expose themselves to by not encrypting data. Before the VA laptop was recovered, the department had spent $14 million-mostly on notifying veterans of the breach. Several lawsuits were filed against the department.
With so much at stake, why don't companies do what seems so blatantly obvious: encrypt the darn data? According to Alan Paller, director of research at the SANS Institute, a computer-security organization, the culprit is poor technology, which might accomplish the task of encryption, but is user-unfriendly. "The two problems are high fear and high complexity," he says.
As for complexity, Paller expresses disdain for available encryption software. "People are selling encryption technology they claim is easy, but it's not," he notes. "I've looked for it, and it's not out there. It's just bad programming." As Paller sees it, there has not been sufficient demand for software companies to invest in user-friendly encryption technology. The good news? That's changing - and fast.
He argues that the industry hit a tipping point earlier this year with the avalanche of unencrypted data losses. It's become a boardroom agenda item, with members asking executives: "What are you doing to keep us off the front page?" He estimates that consumer-friendly encryption technology will become available in the next six to 12 months.
