Laptop loss or theft is greater than firms are admitting. The end loser is the consumer exposed to ID theft. Is mandatory reporting the answer?
As you slowly sip your tea, relish its warmth and ponder the march of the crowds outside the cafe’s window, you squint up at the electronic timetable to recheck the time of your train. Still 20 minutes before you have to board, so plenty of time to put those finishing touches on that report.
You reach down to your briefcase for your laptop. A shiver runs down your spine as your hand grasps emptiness. Shock and loss turns to fear and eventually trepidation as you wonder how you will explain to your boss that a laptop with the names, addresses and credit-card numbers of leading customers is now in the hands of a complete stranger.
This scenario is rapidly becoming a regular occurrence across the world as laptop computers and smart phones containing sensitive company data proliferate and their owners fall easy prey to opportunistic thieves or simply leave the devices behind them in trains and taxis.
Often these devices, which are unsecured and without even the most basic password or PIN, are hawked for a comparatively small amount of euro and their proceeds probably used to buy drugs. But in the hands of skilled information thieves, the aftermath could be devastating and costly to both the organisation and the consumers whose information it has promised to protect.
A few weeks ago, the nation of Ireland woke up with a shock when it emerged a laptop containing close to 175,000 patient records belonging to the Irish Blood Transfusion Service (IBTS) was stolen in New York. It was taken from a worker at a New York blood bank who had been mugged outside his home. The worker was contracted to upgrade the IBTS’s software.
The IBTS promptly reported the matter to the Data Protection Commissioner and a subsequent investigation by the Commissioner decided the loss of the laptop breached no data protection rules as encryption on the device was sufficient to protect the information from prying eyes.
The IBTS was lucky. Not all laptop users use encryption, not to mention passwords, to safeguard their machines.
According to Pat Moran of Ernst & Young’s risk advisory services practice, laptop theft in Ireland is greater than public or private sector organisations are reporting.
“Organisations in Ireland are losing laptops or having them stolen on a frequent basis. Not just laptops but information on USB keys, which is more worrying than laptops.
“Another problem is that PCs which go out of commission after three years are being disposed of in a very loose manner. Data which may not be fully scrubbed from a hard drive could represent a major threat to organisations and personal security,” Moran says.
The fact that employees can walk into their business and copy information on to USB keys, mobile phones or MP3 players, or indeed walk around with assets like laptops with little or no way to protect the information, is one Irish businesses need to wake up to fast, says Eoin Goulding (pictured), managing director of Integrity Solutions.
“In the majority of cases, people won’t even report the loss of a laptop or phone. A new one would just cost you €400. Many businesses are unsure how many devices they have.”
The theft of the IBTS laptop and similar embarrassing data breach disclosures in the UK, ranging from the loss of laptops from the Department of Defence to the loss of disks with details of thousands of child benefit recipients, has led to debate on the introduction of mandatory breach reporting rules.
There is a growing intolerance of data breaches and in the UK the Financial Services Authority fined Norwich Union €1.76m for weaknesses in its systems and controls which allowed fraudsters to use customer information and run off with €4.6m in funds.
“The first thing we recommend companies do is an audit of what they have in terms of laptops and smart phones and put in risk management policies. For example, outline to executives what they can and can’t carry on their laptops,” Goulding says. “Other firms put in place software that prevents mployees using USB keys.”
Goulding says firms whose executives carry company laptops can easily deploy encryption software. Types of encryption software available on the market includes CheckPoint PointSec to Pretty Good Privacy (PGP) and TrueCrypt.
“To give an idea of how hard it is to break through encryption, a drug dealer in the US was arrested by the FBI. His laptop was encrypted and CheckPoint was asked if it could open it. Because it didn’t have the encryption key or password, it was impossible.
“I would say that every day in Ireland a laptop goes missing,” Goulding says.
Ben Cranks, a consultant with HP’s products group, says the basic steps to take to protect a laptop start with password security, but the majority of laptops now come with some form of encryption, as well as fingerprint identification.
But password protection is no guarantee. “It’s very easy for information thieves to just take out the hard disk and thus bypass the password. Fingerprint scanning is no guarantee either. Error rates are one in 20 or 40,000, so all you need to do is keep rubbing your finger on it and eventually you get in. Multi-factor authentication that combines a password and fingerprint scan offers a better chance of safety.”
All in all, Cranks says the best way to ensure safety is encryption. “Most laptops come with it but it requires making backups. The best advice is don’t put information that you can’t afford to lose on a laptop.
On the question of whether mandatory breach notification rules should be introduced in Ireland, Owen O’Connor of the Information Systems Security Association (ISSA), says the IBTS’s response to the issue compares favourably with the largest US corporations forced by legislation to notify their customers of loss.
“The IBTS reacted extremely quickly, provided detailed and accurate information, made executives available for detailed discussion and set up a customer helpline.
“To me this is a blow to the argument that Ireland or the EU needs to introduce mandatory breach reporting legislation. Firstly, the IBTS exceeded the requirements of any likely legislation and secondly, it would not likely be required to make a disclosure based on the data being encrypted,” he says.
Don McAleese, a solicitor with Matheson Ormsby Prentice, says in the aftermath of the loss of data at the Inland Revenue, the UK is closer to introducing mandatory breach reporting. “The Data Protection Commissioner doesn’t have the power to fine a company in the same way as the UK’s Financial Services Authority, which may need to be looked at.”
McAleese says the experience of the IBTS should be a costly reminder to Irish firms. He estimates the postage of letters to all of the affected blood donors cost the IBTS €91,000. Aside from the administrative burden, the legal consequences and damage to reputation is something firms need to consider.
“Theoretically, if a customer suffers damages as a result of data theft, they have a right to go to court and if they can establish an organisation was negligent they could sue for damages. Most organisations are coming to realise the damage of reputation is a significant driver to be more careful. It’s laptops today but the next scandal could concern a BlackBerry.”
Tag it and bag it – and catch the thief who nabs it
A Cork-based firm whose innovative service aims to reunite lost laptops with their owners is about to launch a new electronic tagging technology aimed at the 600 million new smart phones and 100 million laptops that ship worldwide every year.
Frank Hannigan, managing director of YouGetItBack.com, has received support from Enterprise Ireland and private investors to develop a unique electronic tagging technology that will help users track lost or stolen laptops and even build up a warrant against the thief.
The company, whose customers include Tesco, O2, Deloitte, Vodafone and Astra Zeneca, has developed a new software it intends to introduce for the application layer of various mobile devices ranging from BlackBerry and Symbian devices to iPhone, Linux and Google Android devices.
“Over the past three years we’ve built up the services to help reunite people with their lost devices using our physical tags and we realise that it can extend to include anything from glasses to car keys,” says Hannigan.
“The electronic tags include the same function as the physical tags to make it easy for a kind person who finds a lost device to get in touch with us and we’ll reunite it with the owner.
“The software will lock down the device and if it was stolen this would make it impossible for the thief to sell it on.
Another feature will be elements to give the person the resources to actively pursue the thief. “If the device is switched on, the software automatically finds a wireless connection and the owner can locate it on Google Maps. The software includes a toolkit to help the owner to build up a case for a warrant against the thief.”
By John Kennedy