(re) blog: dialogue with Redemtech

According to a news story appearing in Thursday’s edition of the Mandurah Mail, a laptop computer and an external hard drive belonging to the dance troupe Pulse and containing information vital to the performance group was stolen in a home burglary. Both the laptop and hard drive had been donated to Pulse by a local bank for the specific purpose of developing graphics and making video and multi-media presentations.

The thief probably didn’t care about the fancy graphics software or the information that the dance troupe considered priceless, but likely saw the laptop as just another object suitable for making a quick Australian dollar.

So, funding documents, promotional materials, videos, irreplaceable photos, the complete history of the six-year-old performance group and music that had been edited for the group’s upcoming show were suddenly gone. “Hours and hours of work have been stolen. It’s going to make it very, very hard to get this performance together,” said group coordinator Tracy Harrington.

The reaction of the performance group to this devastating loss is representative on a small scale of the impact any off-network data breach, particularly the loss of a laptop computer or other portable data-bearing device, has on every business that depends on sensitive data for its livelihood. While the dance troupe’s loss is heartbreaking to read, the reactions of those involved are really no different from the media quotes I see from business leaders whose companies have suffered a major data breach spurred by a lost laptop.

Another recent newspaper article, this one appearing in the Calgary Sun, makes the point well with a quote from a provincial information and privacy commissioner in Alberta regarding the theft of two hospital laptop computers containing private information on 250,000 people stolen from a research lab.

Commissioner Frank Work called the theft from Alberta Health Services a "warning" of the potential risks of using portable devices such as laptops, memory sticks and hand-held computers to handle sensitive health information. "The lesson is, do what you (have) to do to get these devices protected," Work said.

Work went on to say he was disappointed that Alberta Health Services didn't know more about the laptops. "This raises a whole lot of issues. Do they know what's going on in their departments with other portable devices?" he said.

That’s a very important question. It has been our experience at Redemtech that many companies do not adequately track their off-network data-bearing devices or don’t have a clear picture of who has access to information. Many others don’t see the logic of using encryption to protect sensitive data or training employees on the basics of protecting the laptops they sometimes forget in an unlocked car or on a coffee shop table, leaving the business wide open for the consequences of a data breach. Many others may not understand the inherent need to totally destroy old data on end-of-lifecycle equipment so that it doesn’t surface in some eBay auction or, even worse, in a much-publicized investigation of data found on second-hand equipment.

The Calgary Sun article reports that the Alberta Health Services theft may provoke an evaluation of the healthcare provider’s policies on portable devices, including inventories of devices in use, maximum numbers of files allowed, and better awareness of exactly what data are stored on individual devices in case of a loss. That’s a promising step, but one from which more businesses would benefit if they took action before a laptop disappears and a data breach occurs.

While the Mandurah Mail doesn’t say so, it’s likely that the Australian dance troupe that lost the musical and financial data for its upcoming show along with the entire history of the group will never again look at laptop security the same way. It too will probably evaluate its policy toward storing data, now that it is brutally aware of what happens when a vital piece of equipment is stolen.

Large or small, any laptop theft can have dire consequences for the organization that needs that data. Otherwise it could mean the last dance for any business that doesn’t keep on its toes when it comes to data protection.