News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

June 5, 2006 - 8:13 A.M.

Why even have it there?

On Friday afternoon I had the opportunity to talk to Dr. David Taylor from Protegrity about the Veterans Administration's 26.5 million lost records for an upcoming podcast.  One of the points we discussed is why these records are on laptops or other easily misappropriated medium in the first place.  Businesses and their employees need to realized the value of Personally Identifiable Information (PII) and treat it appropriately.

The recent Hotels.com, more accurately Ernst & Young, laptop loss is an excellent example.  An employee of E&Y had approximately a quarter of a million PII records on his laptop, which was stolen from the trunk of his car.  My first question is, what legitimate reason did the E&Y analyst have for accessing this information in the first place?  I can't really think of a good reason for anyone outside of the Hotels.com company having access to this information, but there must have been.  Otherwise it would never have been there to begin with, right?

The best defense businesses can have against PII being stolen along with laptops has nothing to do with encryption, tracking mechanisms or any other technical solution.  The best defense they can employ is to never allow this information on the laptops to begin with.  Security is a balancing act between enabling employees and protecting the data.  But when it comes to accessing credit card data, it has to be the security of the data has to be the number one priority.  Employees need to learn that they can't have the data on their laptops.  Access needs to be limited to the office, over secure remote access (ie VPN) or not at all!  Customer information is too valuable to be allowed on laptops.  Or at least the consequences of losing the data is too costly.

One of the basic tenets of defense: if it's not there, it can't be stolen.  Ernst and Young needs to learn this lesson, and soon.   They've been responsible for at least three major PII losses this year alone.  How many more will it take before they figure out that the ease of having the data immediately available just isn't worth it?  And when will businesses stop trying to tell us 'it was against company policy'?

Related Posts

Google Dashboard: Convenient, useful, but no big deal
Web filtering internationally, part 1: China
The fobbit
Unlock/jailbreak new iPhone 3G software with #blackra1n app

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
Elpida inks DRAM tech, outsourcing deal with Taiwan's ProMOS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.