Why Is Sensitive ID Data On Laptops?

000417 computers - laptop missing state department
Every month seems to bring another episode of sensitive personal information escaping into the wild because a corporate or government laptop computer is lost or stolen. A common response is a lot of hand-wringing over how the data should have been encrypted.

But some key questions usually go unanswered. Why is so much private data allowed to be on laptops to begin with? What do people do all day that compels them to tote around records on, say, 26 million Americans, the staggering number seen in the recent Veterans Affairs case?

"It's pure laziness. There's actually no excuse for it," said Avivah Litan, a security analyst for Gartner Inc. "There's no good business reason for it."

Litan advocates a few simple steps: Organizations should keep sensitive information only on secure, centralized servers. Workers can access the data from PCs in the office or over private Internet connections, but can't store the records on their own machines to fiddle with them offline.

If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random "dummy" figures whenever possible, since the actual numbers aren't always relevant.

Following such rules would have prevented the scare that resulted when a laptop with veterans' data was burgled from an analyst's home May 3 (it was later recovered with the information apparently unaccessed). The VA inspector general told Congress that the staffer had been bringing data home for policy analysis since 2003.

It's true that encrypting data — scrambling them with private codes — can make whatever is found on a laptop almost impossible to read. But encryption often isn't turned on by users who think it degrades computer performance.

Consider the case of the ING Financial Services adviser who had Social Security numbers and other personal data for 13,000 District of Columbia employees on his laptop — until the computer was stolen from his home last month. ING administers pensions for the district.

The adviser had broken ING rules by not having the data encrypted. ING responded by recalling all employees' laptops to ensure that encryption software was turned on and couldn't be switched off.

But the fact that the information was out of the office was not itself a violation.

ING officials said the adviser had the records because they corresponded to older pension plan participants who were more likely to call him for assistance. The adviser also wanted the data on hand for potential marketing efforts, such as to help decide whom to invite to a finance seminar.