It had been a long day in Palo Alto, Calif., for a Fidelity Investments employee. On a routine business trip to meet with clients at Hewlett-Packard, he was finally getting some much-needed downtime. Joining several colleagues for dinner at a Chinese restaurant, he decided to relax after a stressful day. His day, though, was about to get much worse.
In the parking lot, a laptop sat in his unlocked rental car. Its hard drive contained information about 196,000 current and former HP employees, including their names, addresses, Social Security numbers and dates of birth--all the fundamental ingredients for an identity heist of gigantic proportions.
Three hours later, when dinner ended, the employee returned to the car. Peering at the empty space where his laptop should be, he suddenly realized his routine business trip was about to make front-page news.
Fidelity publicized this true-life horror story on March 23. Fidelity's loss and other recent laptop thefts paint a picture of a growing problem. As mobility becomes the status quo, corporate laptop use has increased and with it, so has laptop theft.
To help companies avoid the legal and financial liabilities associated with laptop theft, technology providers have rolled out a variety of solutions. Some secure the content of a laptop's hard drive. Others aid in tracking and recovering the stolen equipment. Such solutions can help protect a company's reputation.
"A company may be able to avoid legal liability, but they can never escape the embarrassment factor," says Brad Gross, a partner at Becker & Poliakoff. "That's something that haunts them forever."
Like Fidelity, many companies have suffered the after-effects of laptop theft. The same month as the Fidelity fiasco, laptop theft befell Ernst & Young and Verizon Communications. Within one year, Boeing had two laptops stolen.
According to the 2005 Computer Security Institute/FBI Computer Crime and Security Survey, laptop theft losses for 2005 topped $4 million while the total loss due to theft of proprietary information increased to nearly $31 million.
It's not the loss of the hardware that's striking a blow to corporations. It's the possibility that a theft will result in lawsuits and potential fines for violating state and federal laws governing the protection of employee and customer data.
Experts agree that the best practice when it comes to laptop security is to use a layered approach that establishes multiple barriers to unauthorized access. At its root, any robust security solution should begin with some level of disk encryption.
"Because the data on the device is probably worth more than the device itself, encryption is probably the most important thing that people should do before they start layering on other technologies," says Eric Skinner, vice president of product management at EnTrust, an Addison, Texas-based provider of encryption technologies.
Encryption protects data via a complex, virtually unsolvable algorithm. Only those with the correct password, or fingerprint if a machine has biometric technology, can read the data.But encryption alone may not be sufficient. Users can easily compromise password protection.
"A password is something people could share," says Dan Pfeifle, senior director of Tel Aviv-based Aladdin Knowledge Systems. "So using just encryption software is like building a castle but leaving a backdoor open."
To ensure users can't bypass encryption security, companies can implement two-factor authentication, which uses encryption technology as well as smartcards, such as Aladdin's eToken.
"Two-factor authentication is like using an ATM card," Pfeifle says. "You aren't getting money if you just drive up and enter in a password, and you aren't getting money out if you just insert your ATM card and can't provide the pin."
Two-factor authentication doesn't have to be expensive. EnTrust's encryption technology runs about $100 per user, but lowers in price as the volume of licenses increases, while eToken costs about $60 a seat.
Track And Recover
Companies wanting to go above and beyond data security also can enlist solution providers to help track and recover stolen hardware.
Recovering a stolen laptop is a multi-tiered process that involves the courts, police, subpoenas and warrants. Maneuvering through the system can be difficult. Software providers such as Nashville-based CyberAngel Security Solutions Inc. and Vancouver-based Absolute Software Corp. will navigate the recovery for you.
The available solutions are very similar. The vendor offers an application that companies install on laptops. When a company reports a machine stolen, a monitoring center remotely accesses the laptop, telling the application to contact it every few minutes via any Internet connection the laptop can establish. This allows monitors to capture essential information such as the IP address, the Windows login information and the current e-mail user information.
This ability for the laptop to find connectivity and call the monitoring center is vital for laptop recovery.
"The key is to not lock up network connectivity," says Bradley Lide, president of CyberAngel. "A nonoperational machine has little value for a thief. They'll just chop it up for parts and throw it into a dumpster. If connectivity is established, we can track it."
Once the vendor retrieves the information, it can determine the location of the laptop and call area police.
"You may ask why in the world would police help recover a stolen laptop when they have a million other things to investigate," says Ben Haidri, vice president of marketing at Absolute Software. "But we have a recovery team made up of ex-police officers who know how to talk to other cops."
Such tracking and recovery solutions are relatively cheap, costing roughly $55 per user.
Although laptop recovery and encryption solutions wouldn't have prevented Fidelity's incident of theft, it may have allowed the company to rest easier.
To Fidelity's credit, the company had equipped the stolen laptop with some security barriers, such as encryption software. Still the company has had to undertake the arduous task of notifying all affected HP employees and setting up a special phone line to answer customers' questions regarding the theft. It also has offered free credit monitoring to those affected.Possibly the most important lesson from the Fidelity fiasco is to watch what you put on a laptop.
"Organizations need to be asking themselves should we even be storing that information locally on a laptop," says Richi Jennings, a lead analyst at Ferris Research. "Most likely the answer is that the information should not have been stored on a laptop in the first place."
But if an employee really needs to keep such sensitive information on his or her computer, then encryption and laptop recovery services are a worthwhile investment.
"Physical prevention is just wasting your time because people are people, and they are going to do stupid things," Jennings says. "Companies should think about what they can do technologically to protect the data once it is stolen."