In my last post, I had a bit of a rant about how irresponsible some companies were when it comes to allowing sensitive customer data to reside on employee laptops. Later, I came across this article on Yahoo News, describing just how widespread this problem is.
According to the article:
Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts.
So more than two major incidents a month occur along these lines. Given how high profile some of the companies have been so far (e.g., 26.5 million veterans were affected by the laptop stolen from a Dept of Veteran Affairs employee), it’s just a matter of time before this affects me or someone close to me.
The article comes from the perspective that encrypting sensitive data on laptops would help alleviate these problems. I’d argue that encrypting data isn’t enough — there should be an examination of why sensitive data would ever be stored anywhere but on servers that are both physically and electronically secured.
Also from the article:
Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools.
I would actually argue that there’s not a good reason at all for customer data to be on individual machines… ever. With the availability of secure VPN access into the office, why would a user traveling around with a laptop every need customer data on their laptop? Actual customer data shouldn’t be available to just anyone… and of the people who DO have access to it, what type of information worker needs that data locally? At home?
My perspective is admittedly biased, but I could see where a developer who works with that data might WANT it to be on his or her local machine — but a company’s engineering and/or security directors should be laying down the law against that. Use a VPN to get at an approved development server. Generate test data if you need to work offline.
It’s just asinine that this continues to happen as often as it does when the remedy for it seems so clear — strong security policies, reasonable practices to ensure security, and zero-tolerance enforcement when those practices are ignored or those policies are broken.