NPR’s Marketplace aired a broadcast on May 2nd discussing corporations’ security, theft issues and the measures being taken (or not). http://marketplace.publicradio.org/shows/2006/05/02/PM200605024.html The report was fairly thorough in nature, but neglected to expand any more on some of the measures which can be taken to properly secure company and customer data, much less the full costs associated with these thefts.

In the report they discuss the magnitude of this problem:

“About 18,000 Bank of America customers got a memo back in May saying their Social Security numbers were on a laptop stolen out of an employee’s car. That same month a laptop was stolen from a branch of Omega World Travel, containing the credit card info of 80,000 Department of Justice workers. Not to be outdone, Bank of America had another laptop stolen in August. In November, 161,000 Boeing employees were told that a laptop containing their Social Security numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and Young was hit. In March it was Fidelity. As I was writing this paragraph, Boeing called again to say that, since we talked, another laptop was grabbed away from an HR rep at an airport. We’re talking, at least, 14 different companies, three state governmental agencies, five hospitals and nine colleges and universities.”

But they only briefly discuss one of the main issues at hand. Can any company or person ever guarantee sensitive information will not be compromised? Of course not. But there are some very basic steps which can be taken now to seriously impede those trying to capture social security numbers, credit card numbers, health records, etc. From the story, “…(Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School) says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it.”

The ability to store sensitive information on centrally managed (and protected) servers is really quite basic these days; not to mention a critical part of your security policy (one of many great resources with more information is the SANS project: http://www.sans.org/resources/policies/).With secured and encrypted wireless connections, SSL VPN tunnels and the ability to update, store and back up remotely over the WAN, why is there still sensitive information being stored on company/personal laptops or being transported on tapes by anyone other than Wells Fargo?

Marketplace aired a follow-up interview with the CEO of a major healthcare provider on May 11th. He and his company have won awards for how they’ve dealt with the theft of information; after the fact. They have also lobbied heavily with Congress in order to change the laws by which companies have to adhere in order to notify customers of information theft. “At the moment, Congress is considering a few bills that would require companies to do what McIntyre did: Notify customers in the event of a security breach.” http://marketplace.publicradio.org/shows/2006/05/11/PM200605115.html

But what about prevention? These laws are still vague in nature. Please remember that as a company responsible for the security of your customers’ confidential information you cannot wait and be reactive to this problem. The legal and financial costs are far too great to ignore. This is a problem which has to be dealt with proactively for it to be at least mildly effective.