There were reports last week that a laptop containing personal information on over 160,000 people was stolen from Administaff, Inc., a Houston-based company. Administaff is a company that engages in outsourcing personnel management services, such as payroll administration. As such, it’s not surprising that Administaff deals with a lot of personal information, or that the stolen laptop contained Social Security numbers, names, and addresses.
How did the laptop get stolen? From the backseat of an employee’s car. Apparently, the employee stopped at a grocery store. I cannot fault the employee in this case. People have to eat at some point, and grocery shopping right after work is a natural thing to do. And let’s face it, not too many people decide to put their laptops in the trunk. To begin with, everybody knows that there is no cushioning in there—what if you drive over a rough patch and you bust your laptop? I’m less understanding of the fact that the laptop, nor the files with sensitive information, were encrypted.
According to an article in the Houston Chronicle, the computer was “password-protected.” I think it’s safe to assume that the only thing protecting this particular machine is the Windows logon prompt, which is not as secure as people think it might be. According to Administaff, not having the file encrypted is in violation of company policy. You’ll notice that this is what the Gap press release said when they had their security debacle earlier in the month.
My guess is that Administaff figured a long time ago that they might run into the problem they are having now and decided that encryption was necessary in the workplace. While encrypting files with sensitive data is a phenomenal method of protecting information, the problem with such a policy is that the onus falls upon the employees to secure the data: somebody copies some data to a spreadsheet temporarily and forgets to encrypt the file because he had to answer the phone and forgot about it; Murphy’s Law promptly kicks in and the laptop is stolen that same day. More importantly, if the encryption is done at the file-level, it’s kind of hard to audit the adherence of security policies.
A better method, or a complement to file encryption, might have been to encrypt the entire laptop at the hard drive level. This way, if theft is the reason for the security breach, the company can rest assured that the criminal can not access the contents of the laptop, regardless of whether the correct files are encrypted or not. Plus, services such as AlertBoot, which offer full disk encryption, come with robust reports for auditing the state of encryption on each machine for which AlertBoot was deployed. This way, management can ensure that no computer slipped through the cracks when it comes to protection. It’s obvious that companies know and want to protect their data, and their customer and worker data. It’s just a matter of how best to enforce that protection (minimal human interference would be the best) and ensure it’s being maintained.