Identity Theft: Thieved Laptop Response
According to the Register, a British technology news site, security password protection was the only security available on some of the laptops lost by Ernst & Young during a earlier incident, which any passionate computer user knows can be easily sacrificed. Think about the laptops more recently lost by Ernst & Young employees? Was the data within those laptops encrypted? Any kind of company policies constraining the extent of personal data that may leave a cubicle where presumably network security standards and firewall protection are in place? Any kind of company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there aren’t. If such measures were in place, Ernst & Young’s pr people would have plastered that all over the media to reassure clients and the public so that they can save the firm’s corporate derriere.
Ernst & Young and the VETERANS AD havells gas geyser MINISTRATION are not the only entities that have lost laptops with personal data, and most of these entities allow us a typical response straight from the Corporate Playbook. Ernst & Young has agreed to offer Hotel. Com customers a year’s free credit monitoring. That’s no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone who’s experienced the tenuous position of having to prove they don’t owe a debt they don’t owe will tell you that. If Ernst & Young created an activity force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they told her i would pay legal fees for anyone having to clear resulting bad credit histories, or pay state penalties for justice of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, forbidden downloading of personal data to portable computers in the first place, that has to be considered the best move of all.
Employees of the auditing companies don’t appear to care what are the results to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just observe how that might happen. They’re in Miami at yet another conference. The conference are at a town center hotel they’ve gone to a couple times. They’re familiar with the hotel and the area so already they feel some sense of false security. Someone’s been talking all night about changing more sales, pushing certain investments, or their company’s new data recovery center that will help clients feel more “secure. ” Anyway, the speaker stops to take a inhale and everyone finds out it’s a good time to break for lunch. They’re coming back to the room so, hey, why carry around those heavy laptops? Aren’t they coming back to the room for the second half of the conference? Do they even ask if the conference room will be closed during lunch? Of course not. They’re company laptops. What’s a few lost laptops to a big corporation like Ernst & Young.
Maybe these irresponsible employees require a little bonus to show better judgment. Suspending reality for only a moment, wouldn’t it be interesting if, any time one of these employees served that irresponsibly, his or her Social Security number were posted on StupidIrresponsibleJerks. Com? That way they could sweat it out with average folks who have personal data sailing out there and possibly in the wrong hands. While we’re at it, lets also expose an individual can data of policymakers at these auditing companies who are too shortsighted to higher secure crucial computer data and the company’s reputation. Let them sweat it out too. To begin with, how about if these employees immediately lost their jobs, were required to be individually named in carelessness legal cases filed by subjects of identity theft, or to begin with SIMPLY HAD TO PAY FOR THE LOST LAPTOPS? I bet we’d see a reduction in thieved laptops then. Seriously people, some of these employees were so sloppy you can almost imagine them extending their arms and presenting the laptop to Joe Burglar. “Here, take it. I’d give you my Windows security password too, but you won’t want it. I didn’t bother to log off prior to going to lunch – check out my Paris, france Hilton screen saver. ”
Most of these companies who have lost laptops with sensitive data try to pacify the public by saying the thieves are just after the hardware. Sure. That’s like telling a home theft victim the robbery just wants your jewelry box. He’s not really interested in the $50, 000 tear-drop diamond earrings you possessed inside. Fluff. When a burglar steals, every the main thieved item has value. Everything. A good computer illiterate burglar knows there will be programs on a laptop and, if he knows what’s loaded, he can better measure the price when he fencing it.
Ernst & Young’s web site praises the company’s network security measures in their section called “Security and Technology Solutions. inch These measures may well be admirable. However, many times individuals, companies, and the public in general are so focused on stuff going over the internet that they forget about stuff sitting in computer drives. A very secure network focuses on data stream (information being transferred) and on data storage (information waiting to be used). In my dreams, the data is properly stored in a secure location, in a building with television guards, bad dogs, and an relentless receptionist. Well, I can hope. I can also hope that some of that data might also be encrypted. I realize the data with one institution may be stored in more than one location; for example, Developing a (their main offices) and Building B (a side office or, better still, a data recovery center). But, not in my wildest imagining would I expect that any business storing the data would allow it to be down loaded and stored on a laptop an employee can take home where he does his online shopping. I know I also don’t expect that the laptop with the data is being left unattended in a hotel conference room, a bar counter or someone’s car. I don’t care how many financial or online banking agreements I sign. I’m never consenting to anyone downloading the information to a laptop. No one consents to the mishandling of their personal data.
I have yet to see any banking or credit agreement that specifically states the information will be down loaded to a laptop or in any way made available to anyone beyond the secured network of the financial institution. There is a vague all-encompassing comment about information sharing, but the appearance given by these institutions is that the information will be handled and “shared” in a secure method over an encrypted Internet connection. Everything they say about their security is because of their firewalled and encrypted data channels. To me that means that anyone working from home and needing access to the data does that using one of the many encrypted remote access programs that are out there: for example, Windows Remote Desktop or GoToMyPC or some other Citrix product. These programs are by no means impassable, but they are only a better option, completely available and far more secure. That’s just false with data down loaded to laptops without encryption or adequate security password protected (though account details are only not enough). Over the years, I have used a number of remote access programs to log into my office and work on client files. I’ve even used a laptop to work downstairs on files stored on my main computer in an upstairs bedroom. The remote desktop creates a window that shows me the programs and data files on the main workstation or network server that is hosting my connection possesses what I must see. I am NEVER required to download any data to the laptop to work remotely on it. That’s the whole point of the remote access software.
By compelling employees to log in, do the work and immediately exit the remote access program, Ernst & Young, the VETERANS ADMINISTRATION and any other thing that stores personal data lowers the window of chance of your personal data to fall into the wrong hands while remaining behind an encrypted and presumably firewalled connection during the entire time that your personal data may need to be accessed. During remote access sessions, the company retains control of your information and there is oversight of the employee’s use of your details. Best of all, if your personal data is not needed during that particular remote access session, it never even becomes the main encrypted data stream traveling over the internet. This would expose even fewer people from the threat of identity theft. Think about it. Can any Ernst & Young employee work on the data of 243, 000 Hotel. Com customers during one remote access session? Is one able to VETERANS ADMINISTRATION employee work on the accounts of 2. 2 million active-duty personnel during one online remote access session? And yet, both him or her collectively had an individual can data of nearly 2. 5 million people stored on their laptops and immediately available to anyone using their laptops. Why?
There ought to be a law, right? Also, absolutely. Congress should immediately implement its measures, including possibly levying penalties against any thing that acts irresponsibly with your own personal data, and may impose bigger guidelines regarding access to your personal data. In 1996 Congress enacted the health Insurance Portability and Answerability Act (HIPAA) unsafe effects of the use of and access to personal health information and related identifying personal data, like medical record numbers and Social Security numbers within patient medical records. Though HIPAA caused a lot of headaches in the medical and legal communities, it validated concerns over privacy. HIPAA was still a step up the right direction even if, like most legislation, it takes to change to higher reflect the what is intent. Similar, legislation needs to be considered depending on personal data maintained by businesses and financial institutions. A person shouldn’t really need to get sick to protect his or her personal data, though the apparent lack of security is sure to make you sick.
Although HIPAA addressed privacy concerns, the issue of protecting personal data isn’t a question of privacy; it’s a question of security. Protecting personal data could easily fall within the purview of Homeland Security. Personal data needs to remain secure because the casual criminal is not the only person making use of it. Whether it’s to increase fear or awareness, consistently our government tells us about the manner in which terrorists make use of other people’s personal data to create phoney IDs, buy cell phones, or book routes. It’s not a leap of judgement to claim that protecting personal data thwarts terrorist activity. A bold politician might even say failure to do so is a breach of national security. But that’s going a bit too far, don’t you think? Certainly, though, it’s you can imagine that personal data has the potential of falling into the hands of someone needing more than just an too costly footwear for women, hair extensions or HDTV.
Other measures offer consumers far more protection than we’ve been seeing. There are currently what is initiatives in some states that would allow their residents to place a security frost nova on their credit files prohibiting any new credit or loan application to go through without the consumer’s authorized PIN number. The frost nova allows consumers to lock their credit and briefly discover it when they know they will be applying for a loan or need to make some other type of major purchase. For more on security freezes, see the August 8, 2006, Home Watch article on WomensWebWatch. Com. A link fot it site is provided in the author’s biography below.
Ernst & Young is not a small operation. It is a successful business with, I imagine, an exceptional track record and the ability to provide solid services or it would not be stored by so many reputable businesses. However, the best company can show poor judgment and in this case it has. To be fair, I surmise that, like all companies, Ernst & Young has sloppy employees and most certainly careful ones. The company in general may be undeserving of the resulting bad reputation it’s getting. On the other hand, it has not shown it’s done enough to curb losing personal data. Honestly, even the most careful employee can be overwhelmed during a crime, or overly weary, and turn into dispossessed of his or her laptop. There is little compelling reason for those laptops to contain personal data. Every thing that handles personal data needs to implement a zero-download policy and issue essentially dumb terminals to their employees (laptops just for remote access).
Too many times, these institutions bypass implementing some security measures because, they claim, no measure is 100% foolproof. They claim it would not be cost-effective for them to implement measures that can be breached. Well, every one of them has recently implemented security measures which are not impassable. Most of these places already use encrypted Internet security connections for their data channels because failure to do so in nowadays is unimaginable, right? I’ve even heard that some of these places lock their doors at night so someone can’t walk in and steal the CEO’s favorite coffee cup. Implementing a company policy prohibiting the download of personal data to laptops can be as expensive as sending around a memo about the upcoming company eat outside. There is no need to download the data. Workers can still remote access the encrypted data using adequate alphanumeric account details via a secure Internet connection behind firewalls on both sides, on the host computer and remote desktop. No, it’s not 100% foolproof. That’s true. My door can be broken down, but I still lock it at night. Allowing downloads available of sensitive data to laptops is equivalent to leaving top door spacious.
