Wednesday, September 26, 2012

Identity Theft: Stolen Laptop Response

Encrypt, secure, prohibit or pay the price!

That's what Congress and state legislators should tell Ernst & Young, Veterans Affairs and other companies and agencies that play fast and loose with our personal data.

In the last several days, major news networks and countless online news sources reported two more incidents of lost or stolen laptops containing personal data of millions of individuals. The first theft involved a laptop stolen from a Veterans Affairs employee. Follow-up reports on that theft go from bad to worse, indicating 2.2 million active-duty personnel are now at risk for identity theft [http://www.cnn.com/2006/US/06/07/vets.data.ap/index.html]. The lost data in this case includes Social Security numbers.

The second incident involved a laptop stolen from an Ernst & Young employee. That laptop contained the personal data, including credit card information, of approximately 243,000 customers of Hotels.Com who had booked rooms between 2002 and 2004. In a way, this second incident is more egregious because losing laptops is reportedly commonplace for Ernst & Young.

        Nokia staff jacked by Ernst & Young laptop loss (30 March 2006)
        40,000 BP workers exposed in Ernst & Young laptop loss (23 March 2006)
        Lost Ernst & Young laptop exposes IBM staff (15 March 2006)
        Readers amazed by Ernst & Young's laptop giveaway (4 March 2006)
        Ernst & Young loses four more laptops (26 February 2006)
        Ernst & Young fails to disclose high-profile data loss (25 February 2006)

According to The Register, a British technology news site, password protection was the only security available on some of the laptops lost by Ernst & Young during a prior incident, which any avid computer user knows can be easily compromised. What about the laptops more recently lost by Ernst & Young employees? Was the data contained in those laptops encrypted? Are there any company policies limiting the extent of personal data that may leave the office where presumably network security standards and firewall protection are in place? Are there any company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there aren't. If any such measures were in place, Ernst & Young’s public relations people would have plastered that all over the media to reassure clients and the public in an attempt to save the firm’s corporate derriere.

Ernst & Young and the VA are not the only entities that have lost laptops with personal data, and most of these entities have developed a typical response straight from the Corporate Playbook. Ernst & Young has agreed to offer Hotel.Com customers a year's free credit monitoring. That’s no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone who’s been in the tenuous position of having to prove they do not owe a debt they do not owe will tell you that. If Ernst & Young created a task force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they offered to pay legal fees for anyone having to clear resulting bad credit histories, or pay state fines for prosecution of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best move of all.

Employees of the auditing companies don’t seem to care what happens to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just see how that might happen. They’re in Miami at yet another conference. The conference is at a downtown hotel they’ve been to a couple times. They’re familiar with the hotel and the area so already they feel some sense of false security. Someone’s been talking for hours about converting more sales, pushing certain investments, or their company’s new data recovery center that will help clients feel more “secure.” Anyway, the speaker stops to take a breath and everyone realizes it’s a good time to break for lunch. They’re coming back to the room so, hey, why lug around those heavy laptops? Aren’t they coming back to the room for the second half of the conference? Do they even ask if the conference room will be locked during lunch? Of course not. They’re company laptops. What’s a few lost laptops to a big corporation like Ernst & Young.

Maybe these irresponsible employees need a little incentive to show better judgment. Suspending reality for just a moment, wouldn’t it be interesting if, any time one of these employees acted that irresponsibly, his or her Social Security number were posted on StupidIrresponsibleJerks.Com? That way they could sweat it out with the rest of us who have personal data floating out there and possibly in the wrong hands. While we’re at it, lets also expose the personal data of policymakers at these auditing companies who are too shortsighted to better secure your data and the company’s reputation. Let them sweat it out too. At a minimum, how about if these employees immediately lost their jobs, were required to be individually named in negligence lawsuits filed by victims of identity theft, or at a minimum SIMPLY HAD TO PAY FOR THE LOST LAPTOPS? I bet we’d see a decrease in stolen laptops then. Seriously people, some of these employees were so careless you can almost imagine them extending their arms and presenting the laptop to Joe Thief. “Here, take it. I’d give you my Windows password too, but you won’t need it. I didn’t bother to log off before going to lunch – check out my Paris Hilton screen saver.”

Most of these companies who have lost laptops with sensitive data try to pacify the public by saying the thieves are just after the hardware. Sure. That’s like telling a home burglary victim the burglar just wants your jewelry box. He’s not really interested in the $50,000 tear-drop diamond earrings you had inside. Bull. When a thief steals, every part of the stolen item has value. Everything. Even a computer illiterate thief knows there will be programs on a laptop and, if he knows what’s loaded, he can better evaluate the asking price when he fences it.

Ernst & Young’s web site praises the company’s network security measures in their section titled "Security and Technology Solutions." These measures may well be admirable. However, too often individuals, companies, and the public in general are so focused on stuff going over the Internet that they forget about stuff sitting in hard drives. A truly secure network focuses on data stream (information being transferred) and on data storage (information waiting to be used). In my dreams, my personal data is properly stored in a secure location, in a building with armed guards, vicious dogs, and an unfriendly receptionist. Well, I can hope. I can also hope that some of that data might also be encrypted. I realize my personal data with one institution may be stored in more than one location; for example, Building A (their main offices) and Building B (a branch office or, better still, a data recovery center). But, not in my wildest imagining would I expect that any business storing my personal data would allow it to be downloaded and stored on a laptop that an employee can take home where he does his online shopping. I know I also don’t expect that the laptop with my personal data is being left unattended in a hotel conference room, a bar counter or someone’s car. I don’t care how many financial or online banking agreements I sign. I’m never consenting to anyone downloading my personal information to a laptop. No one consents to the mishandling of their personal data.

I have yet to read any banking or credit agreement that expressly states the information will be downloaded to a laptop or in any way made available to anyone outside the secured network of the financial institution. There is a vague all-encompassing comment about information sharing, but the appearance given by these institutions is that the information will be handled and “shared” in a secure method over an encrypted Internet connection. Everything they say about their security has to do with their firewalled and encrypted data streams. To me that means that anyone working from home and needing access to my personal data is doing that using one of the many encrypted remote access programs that are out there: for example, Windows Remote Desktop or GoToMyPC or some other Citrix product. These programs are by no means impenetrable, but they are simply a better option, utterly available and far more secure. That’s just not the case with data downloaded to laptops without encryption or adequate password protected (though passwords are simply not enough). Over the years, I have used a number of remote access programs to log into my office and work on client files. I’ve even used a laptop to work downstairs on files stored on my main computer in an upstairs bedroom. The remote desktop creates a window that shows me the programs and data files on the main workstation or network server that is hosting my connection and contains what I need to see. I am NEVER required to download any data to the laptop to work remotely on it. That’s the whole point of the remote access software.

By compelling employees to log in, do the work and immediately exit the remote access program, Ernst & Young, the VA and any other entity that stores personal data minimizes the window of opportunity for your personal data to fall into the wrong hands while remaining behind an encrypted and presumably firewalled connection during the entire time that your personal data may need to be accessed. During remote access sessions, the company retains control of your information and there is oversight of the employee’s use of your information. Best of all, if your personal data is not needed during that particular remote access session, it never even becomes part of the encrypted data stream traveling over the Internet. This would expose even fewer people from the threat of identity theft. Think about it. Can any Ernst & Young employee work on the data of 243,000 Hotel.Com customers during one remote access session? Can one VA employee work on the accounts of 2.2 million active-duty personnel during one online remote access session? And yet, both these individuals collectively had the personal data of nearly 2.5 million people stored on their laptops and immediately available to anyone using their laptops. Why?

There ought to be a law, right? Oh, absolutely. Congress should immediately implement its own measures, including possibly levying fines against any entity that acts irresponsibly with your personal data, and should impose broader guidelines regarding access to your personal data. In 1996 Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) regulating the use of and access to personal health information and related identifying personal data, like medical record numbers and Social Security numbers contained in patient medical records. Though HIPAA caused a lot of headaches in the medical and legal communities, it validated concerns over privacy. HIPAA was still a step in the right direction even if, like most legislation, it needs to evolve to better reflect the legislative intent. Similar, legislation needs to be considered with respect to the personal data maintained by businesses and financial institutions. A person shouldn’t have to get sick to protect his or her personal data, though the apparent lack of security is sure to make you sick.

Although HIPAA addressed privacy concerns, the issue of protecting personal data isn’t a question of privacy; it’s a question of security. Protecting personal data could easily fall within the purview of Homeland Security. Personal data needs to remain secure because the casual criminal is not the only one making use of it. Whether it’s to raise fear or awareness, consistently our government tells us about the manner in which terrorists make use of other people’s personal data to create phoney IDs, buy cell phones, or book plane tickets. It’s not a leap of logic to suggest that protecting personal data thwarts terrorist activity. A bold politician might even say failure to do so is a breach of national security. But that’s going a bit too far, don’t you think? Certainly, though, it’s conceivable that personal data has the potential of falling into the hands of someone desiring more than just an overpriced pair of shoes, hair extensions or HDTV.

Other measures offer consumers far more protection than we’ve been seeing. There are currently legislative initiatives in certain states that would allow their residents to place a security freeze on their credit files prohibiting any new credit or loan application to go through without the consumer’s authorized PIN number. The freeze would allow consumers to lock their credit and temporarily unlock it when they know they will be applying for a loan or need to make some other type of major purchase. For more on security freezes, read the June 8, 2006, Home Watch article on WomensWebWatch.Com. A link to that site is provided in the author's bio below.

Ernst & Young is not a small operation. It is a successful business with, I imagine, an exceptional track record and the ability to provide solid services or it would not be retained by so many reputable businesses. However, the best company can show poor judgment and in this case it has. To be fair, I surmise that, like all companies, Ernst & Young has careless employees and most certainly careful ones. The company as a whole may be undeserving of the resulting bad reputation it’s getting. On the other hand, it has not shown it’s done enough to curb the loss of personal data. Frankly, even the most careful employee can be overwhelmed during a crime, or overly fatigued, and become dispossessed of his or her laptop. There is little compelling reason for those laptops to contain personal data. Every entity that handles personal data needs to implement a zero-download policy and issue essentially dumb terminals to their employees (laptops just for remote access).

Too many times, these institutions forego implementing some security measures because, they argue, no measure is 100% foolproof. They claim it would not be cost-effective for them to implement measures that can be breached. Well, every one of them has already implemented security measures which are not impenetrable. Most of these places already use encrypted Internet security connections for their data streams because failure to do so in this day and age is unthinkable, right? I’ve even heard that some of these places lock their doors at night so someone can’t walk in and steal the CEO’s favorite coffee cup. Adopting a company policy prohibiting the download of personal data to laptops is as expensive as sending around a memo about the upcoming company picnic. There is no need to download the data. Workers can still remote access the encrypted data using adequate alphanumeric passwords through a secure Internet connection behind firewalls on both sides, on the host computer and remote desktop. No, it’s not 100% foolproof. That’s true. My front door can be broken down, but I still lock it at night. Allowing downloads of sensitive data to laptops is the same as leaving the front door wide open.

N. Saco is a contributor and founder of several information web sites, including WomensWebWatch.Com  and WetwareSolutions.Com. Her blog is located at InternetExplorerBlog.Com, and a copy of this article can be found there. She has a degree in Communications, focusing in critical analysis, a minor in cultural anthropology, and 20 years experience in research, writing and investigation, primarily in medical litigation support.