Financialweek.com is reporting that theft of data is fueling interest in errors and omissions insurance, also known as E&O insurance. What exactly is E&O insurance? The name makes it pretty self‑evident: it’s insurance to cover any accidents or mistakes you may make (or the client perceives you have made) while providing a service. Depending on the profession, it may be called malpractice insurance (medicine) or professional liability insurance (lawyers, architects, etc.)
E&O actually covers more than the results of mistakes, however. It also covers defense costs as well, according to the insurancejournal.com. And why are companies looking for this type of insurance? Because accidents happen, especially when it comes to data. Even with the implementation of best practices in risk assessment and management, there is no way to account for all the vicissitudes that life presents you and your company.
What has all of this got to do with full disk encryption? Well, one of the reasons quoted in the insurancejournal.com article for the need of E&O insurance is that one needs to think about reputations, both for one’s company as well as his clients’. Now, I don’t see how insurance can help in keeping reputations intact, especially when it comes to data theft or loss; maybe it’s because I’m not a lawyer.
A data security breach—there’s no way for insurance to mend one’s damaged reputation once you’ve had such an incident, although I can see how such insurance would give affected parties the wherewithal to survive and rebuild their reputations. However, I can see how E&O can be a valuable part of a company’s risk management arsenal. Such insurance has been around for years (possibly centuries?), and people instinctively understand the need for it.
What is more pressing than getting insurance, however, is the need to make sure that data is not breached in the first place. After all, it’s generally easier for a good reputation to be preserved than to rebuild it from scratch, which is what one will do in the event of a data breach. There are different approaches to ensure information security, many of them complementary.
Data redaction is one, meaning you don’t save any unnecessary data on your computers. For example, universities are going through the process of using something other than students’ Social Security numbers for tracking purposes. This way, even if a hacker successfully gets into the school’s network, he can’t steal SSNs. Or, a company could set up policies so that sensitive customer information is available only via an intranet, never to be downloaded to a local computer. However, the problem with this approach to data security is that you will have people ignoring such rules, either due to ignorance, convenience, or other reasons.
The most convenient, and from a risk management standpoint, the best option may be encryption, especially full disk encryption. AlertBoot’s full disk encryption works by encrypting the contents of the entire disk. So, if a particular computer has any files that shouldn’t be there, they’re protected as well as everything else on the computer itself. Due to its all‑encompassing nature, many businesses are deploying full disk encryption for their company laptops, since these machines are at a high risk of getting lost or stolen. The vicissitudes of life strike deeply when you’re outside the company’s security perimeters.
Of course, this does not mean that computers that always remain within the perimeters don’t require encryption. There is less of an impetus because the risk of loss is reduced, but it’s still a good idea to encrypt desktops as well. After all, you don’t chuck your home safe just because you decided to sign up with ADT’s security service.
Last week, the Bank of Ireland (BoI) had announced that four laptop computers lost over the past year or so could have affected 10,000 customers. The BoI has updated the number of customers affected to over 30,000, per the investigation they were conducting after the announcement.
There has been a lot of criticism on the BoI’s actions, or lack thereof: they had waited nearly a year to alert their customers about the increased risk of identity theft they were facing. The BoI for its part countered the criticism by saying that they didn’t want to alert the thieves about the true worth of the stolen laptop computers.
Today’s revelation by the BoI is not really surprising. Similar post‑announcements have been conducted in the past when other organizations have had to revise the number of affected clients affected by stolen computers, be they laptops or otherwise.
Gaffes like these arise for quite simple reasons, really: we never have a complete of idea what’s in our computers, and furthermore, in individual files. Even when people have to follow a strict policy on what type of data is allowed on a computer, people will often ignore said policies. The reasons may run the gamut from “ignoring the idiots in IT” to “just not paying attention.”
And that last one is not necessarily a sign of incompetence. For example, I remember once receiving a spreadsheet full of customer names and other data from a client. Neither he nor I noticed that three individual columns contained sensitive customer information that had no bearing on the business at hand, and to which I certainly should not have had access to. Why was it included? Because the columns were hidden, that’s why. Hiding three columns out of 27 is not something that’s easily noticeable. (And if what I read about human psychology is true, people don’t notice that something is missing unless they’re actively looking for it. I have to admit that I wasn’t looking for hidden columns. My guess is my client wasn’t either—he was probably looking to see if a column with sensitive data was showing up.)
I think it’s pretty much established that people will save and download data locally regardless of what written policies are in place. And this is the reason why full disk encryption may work better for data security purposes than file encryption. Both have their pros and cons (and ideally you want to combine their use, the reason why both are offered if you sign up with AlertBoot), but whole disk encryption’s strength lies in the fact that it encrypts everything residing in the hard disk. Let me emphasize that again: residing in the hard disk. If you e-mail a document stored in the disk to someone else, the file is not encrypted anymore; for encrypting a file you need (tada!) file encryption.
Plus—unlike file encryption—once you have hard drive encryption in place, you never have to do anything extra to ensure information security (well, with the exception of changing your access passwords once in a while).
Full disk encryption was designed for those instances where the disk itself is lost—meaning, generally, when a computer is lost and stolen. If the BoI had safeguarded the contents of those four stolen laptops with full disk encryption, it wouldn’t have mattered whether 10,000 customer records or 30,000 of them were residing in the stolen machines.
A computer was stolen from the General Internal Medicine of Lancaster offices, a medical practice in East Hempfield Township, Pennsylvania. The computer, a laptop, contained names, addresses, telephone numbers, and Social Security numbers of many—not all—patients.
The laptop computer was being used as something of a file database. According to the practice manager, they were in the process of scanning paperwork, required for insurance purposes, and storing the image in the laptop. The paperwork would eventually be burned. Ultimately, the digital records would go on disks.
The laptop was stolen when an employee briefly left the scanning area. When the employee returned, the laptop was missing. No word on whether there was laptop encryption on the stolen computer.
Could full disk encryption have helped in this case? Not in preventing theft, of course, but ensuring that the theft doesn’t result in a data breach? Perhaps. The story that I’ve read implies the computer was stolen while scanning was in progress. If this is the case, the laptop was turned on. Now, if a thief stole a laptop in that state, there is not much that full disk encryption can do for this medical practice, unless the thief turns off the laptop at some point, especially before he decides to copy data.
Full disk encryption is like a strong box for digital information. The moment you open this strong box (that is, provide the passwords for decrypting the protected information), the contents remain vulnerable until you decide to close the strong box (turn off your computer). So, assuming that the thief stole the laptop while it was turned on, he’s essentially stolen a strong box with its door unlocked. There is no protection in that case.
However, this does not mean that computers that are up and running are impossible to secure. You can also use a different type of encryption, commonly called file encryption to secure data. This differs from hard drive encryption in that the file themselves are encrypted. So, if we can compare full disk encryption to a strong box, file encryption would be like top secret documents written in special a special language.
And, you don’t have to choose one over the other. Many encryption products offer both. AlertBoot, for example, features both laptop encryption and file encryption. Using both, one can dramatically minimize the risks of leaking sensitive information. Of course, it would be best if a person who’s in the process of scanning documents don’t leave those documents unattended.
The *** Cancer International Research Group (BCIRG) office in Edmonton, Canada, was broken into, and three laptops were stolen. Two of them were brand new and unused, so the chance of a data breach is not there at all. However, one of the laptops stolen was already in use.
The IT director for BCIRG has assured the public that the chance of an information security breach are remote (no word on whether there was sensitive data in that one laptop) because “a password was connected to a hard drive,” according to a quote from edmontonsun.com.
This statement is a little confusing for a couple of reasons. One: generally, a password doesn’t mean bupkis when it comes to data protection, unless that password is used to access encrypted data; I’d imagine that an IT director would be aware of this. Which brings me to confusion point number two: was there encryption on that hard drive? In other words, was a whole disk encryption product like AlertBoot used to secure the data?
Because, generally, if you have a potential data breach scenario due to computer theft and you’ve got some form of encryption protecting that computer’s data —be it file encryption or hard drive encryption—people tend to mention it. They say, “don’t worry. The contents were encrypted. Case closed.” Just mentioning password‑protection is code for “not really protected, but doesn’t that make you feel better because it sounds like there’s protection?” (You know, like your stockbroker telling you a particular security is rated “hold”—which really means sell. And a rating of “sell” means “sell yesterday.”)
Anywho, the above case is pretty confusing, so I think that there will be either some clarification in the near future.
Also, if this had been just a PR guy relating the news, I’d probably have pounced on it. Since it’s coming straight from the mouth of a tech-savvy person, I’d being a bit more circumspect. I know some people who would automatically mutter something under their breaths about “geezers…luddites…out of touch with reality…” and other choice words and phrases, since the director at a substantial organization generally tends to be older.
However, it behooves to remember that, despite most of us having to teach our grannies about the wonderful world of the internets (that last word’s not a typo), it’s also our grannies’ friends who invented the internet. And chances are that it’s them who are IT directors at sizable companies. Inventing the internet. Not bad for a bunch of out of touch luddite geezers, eh? Hence the need for caution in this case: just because you never know….
A clarification, however, is in order, since people hearing the above statement will naturally assume that password protection, not encryption, is enough to protect data when things go wrong.
It wouldn’t be a long stretch to say that companies that fall victim to an information security breach have a public relations problem in their hands. Admitting (or in some cases, just alerting—no admitting allowed) that a company has inconvenienced their clients has never been a good move. And so the spin‑doctors were born.
In some cases, it seems a better term would be spin‑quacks. I mean, the last thing a company wants to do if subject to a data breach is to appear incompetent. Granted, incompetence—or its flipside, a sunshine information security policy of “everything will be fine; computer theft happens to everyone else. Let’s go have a picnic and leave our laptops on a table while we go have a dip in the lake. That’s how we secure things at Pollyanna, Inc.”—is probably what caused the problem in the first place, so the quacks have their work cut out for them. But do they have to keep making weird pronouncements that obviate any suspicions on their lack of commonsense?
Consider the following statement that shows up quite regularly in data breach announcements, and of which I’ve seen many, many permutations: “We have no evidence that the stolen data will be used for unauthorized purposes.”
Read that again, just to make sure it sinks in. Is it just me? Are these people implying that they’ve had a situation where a thief leaves behind some kind of note alerting victims of what he intends to do? Of course these companies don’t have such evidence; the last thing a thief wants to do is stick around a write a thank‑you note. Can you imagine some guy leaving a calling card stating what he’s going to do with the data? Would the PR guys release something along the lines of “We have evidence that the stolen data will be used for unauthorized purposes?”
Where do these senseless string of words come from? I wonder if PR people feel compelled to fill in any blank spaces on sheet of paper; I know I do when writing these blog posts. Except, I overshoot, so I’m stuck paring these things down….
An easy way to prevent PR personnel from making such ludicrous observations is to hire good public relations personnel (well, actually, it’s harder than it sounds. But, it’s infinitely easier to hire good PR people than hire bad PR people and educate them, plus clean up their mess—for which one would hire a good PR guy). This, though, fixes the symptoms and not the cause. An even easier way to make sure PR people don’t stick their feet in their mouths is to deny them PR-worthy cases.
Easier said than done? You’d be right, absolutely. Anyone over the age of ten probably knows that there is no such thing as certainty in life. The point is to lower the risks of something happening. Does your workplace use laptop computers? Get thee some full disk encryption for those, as well as for your desktops. If you use AlertBoot, you can easily manage the encryption of your business’s computers, and use the powerful reporting to implement a security audit program to make sure you (and your PR staff) don’t get caught with your pants down.
CollegeInvest, a not-for-profit division of the Colorado Department of higher education, is alerting customers—approximately 200,000 of them—that their personal information may have been compromised. Details are still sparse; for example, I am unable to find what type of personal information could have been exposed in this particular case. Makes me wonder if the state of Colorado is exercising a little precaution so that nobody goes around looking for 200,000 entries of sensitive information on a random hard drive they picked up.
According to CollegeInvest, however, there is no need to panic because the data was secured with passwords as well as saved in a format that is difficult to access.
The frustrating thing about all this secrecy is that one can’t have an idea on how vulnerable he might be to identity theft. For example, consider the password that is securing the data, supposedly. Based on what I’m reading, it sounds like the device that was stolen was an external hard drive. My own experience with most external hard drives show that a password is not required to access it; indeed, passwords are generally tied to a computer (more specifically, the computer’s operating system).
So, it looks like CollegeInvest went to great lengths to either secure the hard drive (and if so, why not go all the way and use a hard disk encryption solution like AlertBoot?) or to secure the file in question. Either that or CollegeInvest has absolutely no idea in what context they were entering a password. Well, it may not be that bad, but I get the feeling that data security may not be their forte. Let me explain.
I’ve heard of instances where an organization assures their clients that identity theft is a minor concern because something is in an unusual format. However, the format one is referring to is physical. For example, say a back up tape was lost. Back up tapes require a tape drive, as well as a computer, to access the data. Tape drives are readily available, it’s true; however, they’re usually relegated to business venues. So, if a tape with sensitive information is lost, the format may offer some (but very little) protection. Likewise if the lost data were stored in a 5.25” floppy disk.
The protection provided here sprouts from the relative rarity of the data reading devices. Obviously, if the thief has such a device, there is no protection. In CollegeInvest’s case, what was lost appears to be an external hard drive. All one has to do is literally plug it into a computer to access the contents. There is no hard drive “drive” one has to obtain prior to reading the data. So, there goes the argument for the format providing some type of protection.
But the file! you say. The file could be tied to some kind of proprietary software. If I don’t have Microsoft Excel, I can’t open Excel files, right? I can’t get to the data.
You’d be wrong. Remember, the computer doesn’t care how you store the data; it stores everything in ones and zeroes. Get yourself the right software (and they’re plenty cheap), and you could be scouring a hard drive for SSNs and other personal information regardless of what type of file their stored in. Google Desktop, for example, requires the use of a web browser, but I can use it to find certain data in Microsoft Excel. The format does not matter (Some people will cringe at the example, but I think it makes the point for the average Joe).
The only way CollegeInvest could rest easily at night, knowing the contents of their now‑lost hard drive are secure from prying eyes, is if they had employed some form of encryption.