I used to have a beef with PR people stating that a stolen computer had “password protection but was not encrypted” trying to reassure the public about the safety of their data. Of course, the general populace started getting wise to the fact that it meant absolutely nothing security?wise, so it seems to have been dropped in favor of other stuff. Such as this one: There is no evidence at all that whoever took the computers took them for the data. The thieves probably targeted the computer because of its monetary value and portability, and other reasons for inducing stickyfingernessity.
This one is not soothing to the troubled mind as the other one—for one, it doesn’t have that forward?projection of safety: Woo! Passwords! Double-layer! Protection! Bam! Whamo! Encryption? What’s that? Doesn’t that require passwords as well?
Plus, it’s relatively easy to draw a parallel to show the above pronouncement as meaningless. I might steal a bag, but not because it’s a bag. It’s Prada. (Thank you, Wayans Brothers.) A portable thing of high value. But, hey, what’s this? Credit cards? We-heh-hell, I’m eating tonight! The problem with this new line of “don’t worry, be happy” pronouncement is that one has to presume that a thief steals a computer either for its resale price or its data but not both. Most people know better.
At any rate, the hospital has waited several months to alert their patients of the breach and that they should watch out for any forms of ID theft—if they haven’t become a victim already, I guess. Perhaps in an effort to create a bulwark against criticism, over 300 laptops and desktops are being recalled from staff to have encryption software installed, a step in the right direction.
Another step in the right direction? They’re going to centralize the data, so that individual laptops will not be carrying all that data, all the time. Of course, they’ll want to make sure there are restrictions on what can be saved locally to the laptops’ hard drives, but it should help to improve overall security. One wonders why they didn’t do these things sooner. Though, if my military experience is any guide, you really start to move once the other cheek has received a good kicking as well.
The recall of 300 computers will have a temporary impact on the workforce; it has to. If the Royal Bolton Hospital had signed up with AlertBoot, they would not have needed to recall the laptops. A 2 MB file could have been sent via e-mail, downloaded, and installed by each user—a file size that is smaller than that of a digital picture captured by a high?end camera phone. Plus, the reporting engine would have allowed the IT staff to keep tabs on users actually encrypting their machines. But, hey, better someting that nothing; better late than never.