Reading the long list of personal data breaches resulting from laptop theft alone is enough to keep any manager responsible for corporate privacy awake at night.
Sept. 28, 2007: A laptop containing personal information of 800,000 job applicants is stolen from a third-party vendor managing lists for Gap Inc.
Feb. 13, 2006: A laptop is stolen from an Ernst & Young employee’s car, exposing the social security numbers of 38,000 BP employees, as well as employees from Sun, Cisco and IBM.
Nov. 19, 2005: A stolen laptop from Boeing’s HR department includes the social security numbers and bank account information of 161,000 employees.
Those are but a few examples of the many data breach incidents reported by San Diego-based Privacy Rights Clearinghouse. In the U.S. alone, there have been more than 252 million personal data breaches since the organization started tracking in January, 2005.
And laptop theft is just as much of a problem for Canadian businesses, according to James Quin, senior research analyst at Info-Tech Research Group.
“Anytime we’ve done cross-border comparisons, the problem for Canadian businesses is comparable, on a per capita basis, to what we are seeing south of the border,” he says.
No wonder IT admins and HR managers have nightmares about privacy leaks. But new technology from Intel Corp. could help them sleep easy, according to David Hoffman, Intel’s global privacy officer.
The chip manufacturer now includes anti-theft –PC protection (AT-p) technology in many business notebooks.
“It’s built into the hardware and can work in concert with laptop encryption to better protect your data,” Hoffman says. So if you’re the victim of a PC theft, you can be sure the wrong people won’t be able to access your computer.
AT-p is embedded into the laptop’s hardware, locking the computer even before the operating system can be booted up. That ensures outsiders won’t be able to work around a software security wall or break an encryption key.
Hoffman talked about Intel’s technology at a Toronto conference hosted by Ontario Privacy Commissioner Ann Cavoukian Jan. 28. Hoffman and other speakers emphasized that it’s possible to have both security and privacy built into technology, and the concepts are not mutually exclusive.
A common conundrum for many businesses is they want to give out laptops to their employees, but worry about losing the hardware, Hoffman says. Most have enough common sense to have a policy prohibiting sensitive data from being placed on a laptop, and the systems in place to make sure that policy is followed. But sometimes policies aren’t perfect.
He says he sometimes asks customers if they have mechanisms to ensure all historical data migrated from systems — that might be 20 years old — is tracked. “That’s when I get blank stares.”
There are three different ways a company’s IT shop can trigger AT-p on a laptop.
The machine could be locked when there are repeated failed password entries, Hoffman says. So if an employee loses a laptop while it is off, and an outsider attempts to gain access by guessing the password, they will be blocked.
The second option requires that a remote server authenticate a laptop’s user on a set schedule.
“You could say that you want your employees to check in every day with a remote server, and if they don’t the system will time out locally and lock up,” he says.
A third option would send a “poison pill” via the Internet to lock the laptop. Even if an employee’s laptop is stolen when it’s running, a quick call in to the IT shop could lock it.
“Say you leave it on at the coffee shop and somebody takes it,” Hoffman says. “You could set it up so that as soon as it’s connected to the Internet, it could be remotely locked.”
Businesses shouldn’t consider Intel’s hardware protection a replacement for security on the OS and even application levels, Quin says. It is designed to work alongside other layers of security, and Intel is not the only option.
“This is not the first hardware level security infrastructure component,” he says. “Trusted Platform Modules (TPMs) have been shipping for awhile now and when used appropriately, can ensure protection for the hardware and the system as a whole.”
While tough security measures could prevent thieves from getting their hands on sensitive personal or corporate data, they could also stop a blundering employee from accessing his or her data. The AT-p system does allow the laptop’s owner to unlock the laptop.
The IT shop can set a secure password locally stored on the laptop to unlock the data.
Also, the IT shop could send a security token to the laptop to unlock it once they know it is back in the right hands.