Handling Corporate Laptop Theft Gracefully

Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."

Handled Pretty Well

[Wannabe+Code+Monkey]

I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.

Re:Encrypt the disks.

[winkydink]

It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?

Encryption? Priceless.

[mythosaz]

I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.

Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).

The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.

why is computer-theft still an issue?

[schweini]

i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?

Foreign Intelligence Operation?

[CodeBuster]

There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.

Re:Why store data on latop at all?

[Zemran]

Why not take it further and have 5 locations using VPN and set the physically seperate location up like RAID 5 so no location actually has the data. If any hard drive gets stolen it has a maximum of every 4th chunk of data (4 chunks and a check chunk = 5 locations). A thief would need to break into all locations at the same time to get the data. If one location is broken into the data can still be recovered using the check chunks but the thief cannot recover any data. Encryption can easily be broken but a thief cannot see what he does not have.