Ernst and Young is the latest company to fall into the data breach spotlight due to a lost laptop. An E&Y laptop was lost which had the personal information of over 38,000 British Petroleum employees. BP officials began notifying their employees that their personal information may have been exposed and may put them at risk of identity theft. In this particular case, social security numbers were among the personal information on the laptop.

The UK IT Trade web site, The Register, had the following headline:

40,000 BP workers exposed in Ernst & Young laptop loss

It’s not until you read much deeper into the article that you find out that the laptop that was stolen was password protected. To me, the interesting thing about this article is how quickly the author dismisses the password protection as a false assurance.

Is this an example of a zealous reporter trying to spin the story to make it appear more scandalous than it really is? If the laptop is password protected, what is the chance that the personal information could be accessed and used for identity theft? There is usually a lag of several months from the time an incident like this happens until the identity theft incidents start occurring.

But the public relations debacle is happening right now. Let’s assume for a moment that 6 months later, E&Y issues a press release that says, “Hey, remember that laptop loss 6 months ago, well, we have detected no identity theft incidents among any of the people whose data was exposed. So we conclude that the password protection was sufficient for the protection of personal information.” Would that restore E&Y’s reputation? Would the affected people feel better? I doubt it.

I assume that laptops are always going to be lost or stolen. Given that so many people take them every where they go, there’s always going to be accidents and theft. It seems reasonable to me to conclude that the issue is not about how to secure laptops. How strong would the encryption on the laptop have to be for the reported to think, “well, with that level of encryption, there’s no way a criminal will get access to it so I guess I don’t have a story.”

I believe that no level of encryption or any security measure would stop the reporter from writing a story about a lost laptop with personal information. The reason for this is that the personal information should have never been on that laptop in the first place!

It is difficult for me to imagine anyone in E&Y needing immediate access to that many people’s records at one time. Who would physically have time to individually look at the information? And more to the point, why must the E&Y employee have the personal data of BP employees on his personal laptop? In this age of an increasingly pervasive internet, it’s difficult for me to imagine a situation in which the personal data couldn’t be kept on a secure server in the E&Y network and accessed remotely from the laptop over a secured VPN.

And I think that’s the real lesson from all the laptop loss stories we hear so much about these days. It’s not about securing the laptop. It’s about keeping the sensitive information off the laptop and on a physically secure server on a secured network. We need to think of laptops not as computing platforms in their own right, but more as access points to computing resources. Any business process that requires customer information to physically be located on an employee’s personal laptop needs redesigned as quickly as possible before the inevitable laptop loss and the inevitable PR debacle happens.

This entry was posted by Calvin () on Monday, March 27th, 2006 at 9:30 am and is filed under Identity Theft. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.