Thoughts on Data Theft/Loss

I have been thinking a lot recently about the data breaches where laptops are stolen and hundreds of thousands of people's identities are compromised instantly. I believe the fact that they are stolen is the first crime. The second crime is that the data is not encrypted. Both parties should be held equally liable for this disclosure.

The fact that disk encryption is absent from the majority of these cases leads me to believe that many corporate operations are similar to the ones with which I am familiar. Most large corporations have a system by which full disk encryption could be instituted as a policy and company wide standard for mobile computers. I understand that it would be a significant undertaking, costing money and development time with very little return on the money they spend. That may sound callous, but it is the nature of business. Most likely, it is cheaper at present to simply work a deal with another corporation to provide identity theft protection services than to completely change the configuration of their laptop computers across the entire company.

Some businesses have policies in place that would, on the surface, appear to solve this issue. This includes requiring all official company documents to be stored on the server or servers that are designated for their department or user account. Everyone asks why the data was stored on a laptop. The answer is simple: If the individual wants to work on it without network connectivity, it has to be stored locally. Network connectivity does not exist everywhere, so for those mobile users, there is no choice other than to store the data on their local system.

Secondary to this is the fact that many times, space allocated to individual users on shared servers is ridiculously small. Increasing disk space for an individual user is much like pleading a case in court. You have to prove that you do not have an enormous file somewhere that could be deleted and that you do, in fact, need this extra space to perform your job. As a result, often times it is just easier to store all that data on the local 120GB hard drive inside the workstation. In these type of instances, one cannot entirely blame the user. They are stuck in a no win situation. They have to do their job, but cannot do their job because of system limitations. Either way could lead to trouble, but odds are not saving on a server could be more easily defended than not doing one's job.

Complicating matters further, many large businesses prohibit the use of encryption technology among individual users. On the surface this seems to fly in the face of common sense. However, in the corporate world, many times common sense can be temporarily suspended to make way for a valid reason. There is no way that the information technology departments can support this for hundreds of thousands of users. The nature of encryption is to allow individuals to secure their documents and/or communications and to make that communication impossible to intercept or recover. While the majority of users who even understand encryption are the least likely to cause issues, the fact is that if a user has it and their boss does not, suddenly the user has control of their communication. This would enable people to openly violate company policies, disclose information and otherwise undertake in prohibited activity without fear of prosectuion. This says nothing of the clueless executive who will forget his private key and then be irate when the IT department cannot decrypt his/her document or e-mail. Again, at present it seems that it is more cost effective to just help clean up the mess after a data breach has occurred.

I do not have a solution to this problem. The only thing I can suggest is that people who are trusted with this data be careful with it. If it were your bank records, you would not leave it in an unlocked car with the windows rolled down, clearly visible sitting on the passenger seat. It is a mentality of respecting other people's property in the same manner that you respect your own. Unfortunately, this does not seem to be something all individuals have. And that's a whole other post...