A London-based film maker, Glenn Swift, was contacted out of the blue by an American looking for Swift’s password. Apparently, the American had bought Swift’s laptop – a computer that the film maker had returned to the manufacturer because there were problems with it – and was being prompted for a password in order to log in. The Guardian has labeled the incident as bizarre (and has recommended the use of laptop encryption, just like AlertBoot, to avoid becoming a victim).
The thing is, the incidence is not bizarre. Heck, it’s not even a coincidence. It’s the law of large numbers: stuff like this is bound to happen when you consider how manufacturers operate.
Insourcing – the UPS and Toshiba Example
Everyone knows what outsourcing. The loss of call center jobs to the orient has put outsourcing on everyone’s lips. Insourcing is…well, it’s not exactly the opposite of outsourcing. But it’s close, I guess; it depends on how you’re defining it. Take this example from “The World is Flat” by Thomas Friedman (p. 168):
Consider this: if you own a Toshiba laptop computer that is under warranty and it breaks and you call Toshiba to have it repaired, Toshiba will tell you to drop it off at UPS store and have it shipped to Toshiba and it will get repaired and then be shipped back to you. But here’s what they don’t tell you: UPS doesn’t just pick up and deliver your Toshiba laptop. UPS actually repairs the computer in its own UPS-run workshop dedicated to computer and printer repairs at its Louisville hub. (Ed.: I should note this is different from the current definition of “insourcing,” which refers to bringing home the jobs that were previously outsourced overseas.)
The situation is probably no different for the laptop Swift had purchased and returned, except it was an Acer. In Swift’s case, since the machine was returned, chances are the laptop was repaired and then put up for sale as a refurbished machine. (Your guess is as good as mine on how the laptop ended up on eBay.)
Anyhow, with many companies doing this; and seeing how technicians are human and prone to mistakes and oversight; and the market for laptop manufacturers is global, the law of large numbers just makes it a certainty that something like Swift’s experience will pop up once in a while. Nothing bizarre about it. I mean, would you think it’s bizarre that a frog with six legs was found close to a nuclear power plant that had a meltdown and spewed low levels of radioactive material into its surroundings?
Insurance, Pandemics, Roulette, and Encryption
What do the insurance business, the casino business, and the managed encryption business have in common? The law of large numbers.
Insurance companies are pretty good at divining the future. For example, they don’t know who among the people in their twenties will die in a car crash this year. However, factor in a number of relevant parameters and they get a pretty good idea how many will out of a certain population.
Likewise, the casinos don’t really know who will win big or lose big. However, the casinos know that the margins are built into the games and over the long run, they will be the big winners. Granted, they’ll have guests who will also win big… but that’s also a side of the law of large numbers.
And encryption….well, the law of large numbers applies in terms of data breaches. Like the insurance industry, it’s impossible to tell who will actually suffer a data breach. However, the law of large numbers guarantees that someone is bound to have one each year – there are just too many companies out there that collect data, and even if they are armed to the teeth with data security software there’s always bound to be a breach for one reason or another.
For example, let’s say that the odds of a laptop with sensitive data being stolen in any given year are 1 in 1,000 (I pulled out a number out of thin air). Sounds like a tiny number, right? But what if a company has 400 laptops to protect? Does the 1 in 1,000 work in their favor?
Beating the Odds
What are the chances that you’ll have a data breach in a given year if each individual laptop had a 1 in 1,000 chance of being stolen, and you had 400 laptops? The answer is about 33% (or 330 in 1,000 for easier comparison). It’s less than half but it’s a far cry from 1 in 1,000.
How’d I get that number? It doesn’t matter how many laptops with sensitive data you lose – 1, 2, 10, or 100 laptops – since the loss of any number of laptops is a data breach. So, you calculate the odds that you won’t suffer a data breach – 999/1,000 raised to the power of 400 – and you get a 67% chance of being OK.
Doesn’t sound too bad, does it? Let me put it in context for you: That’s like playing Russian roulette with a revolver that has only three chambers, one of them loaded. Or if you’re a traditionalist, a six-shooter but with two bullets instead of one.
Now, if you were to install full disk encryption on these 400 machines, the odds of each of them being stolen would still remain 1 in 1,000. However, the odds of being embroiled in a data breach would be astronomically lower.
Related Articles and Sites: