1. Stolen equipment
In May 2006, personal data on 26.5 million veterans was compromised when a laptop and a storage disk were stolen from the home of a subcontractor working for the U.S. Department of Veterans Affairs. Both items were recovered, and arrests were made. The FBI claimed that no data had been stolen, but the incident prompted sweeping reform at the VA. However, in January 2007, another breach occurred when a laptop was stolen from an Alabama medical facility, exposing personal data on 535,000 veterans and more than 1.3 million physicians.
Costs: By June 2006, the VA was burning through $200,000 a day to operate a call center to answer questions about the breach. It also spent $1 million to print and mail notification letters. It was given permission to reallocate up to $25 million to pay for those costs. Class-action lawsuits were also filed, including one demanding $1,000 in damages for each person affected. After the 2007 breach, the VA set aside an additional $20 million for breach-related costs. And the department recently agreed to pay $20 million to current and former military personnel to settle a class-action lawsuit.
Blinders: Lost or stolen equipment accounts for the largest portion of breaches -- about 20 percent in 2008, says the ITRC. According to Bart Lazar, a partner in the Chicago office of law firm Seyfarth Shaw, incidents involving lost or stolen laptops make up the majority of data-breach cases he works on.
Eye-openers: Lazar recommends restricting the placement of personal identifying information on laptops. For instance, don't tie customer or employee names to other identifiers, such as Social Security or credit card numbers; alternatively, you can truncate those numbers. Also, consider creating your own unique identifiers by, for example, combining letters from an individual's last name with the last four digits of his Social Security number.
Second, require personal information on laptops to be encrypted, despite the potential cost ($50 to $100 per laptop) and performance hit that involves, says Lazar. This needs to be accompanied by consciousness-raising, says Blair Semple, storage security evangelist at NetApp Inc. and vice chairman at the Storage Networking Industry Association's Storage Security Industry Forum. "I've seen situations where people had the capability to encrypt but didn't," he says. "Scrambling the bits is the easy part; it's the management and deployment that's hard."
Third, Lazar recommends policies requiring very strong passwords to protect data on stolen devices.