Online Exclusive: Plaintiffs data breach suits fail where they can’t prove damages.
With the theft of portable communications devices at epidemic proportions–128,280 laptops and 106,000 cell phones were reported stolen in the U.S. in 2009, according to the FBI’s National Crime Information Center–the expense of a possible data breach from stolen hardware remains an issue of concern for many companies.
As a result, technology companies are going far beyond the common data encryption software to systems that can remotely delete data, lock out thieves from accessing information, locate the missing laptop or portable device, and even transmit a photograph of the thief.
The technology is attractive to corporations because the cost of lost or stolen laptops skyrockets if the computer stored personal information such as birthdates and Social Security numbers. In a December 2008 Ponemon Institute study, 92 percent of IT security practitioners reported that someone in their organization had lost or had a laptop stolen, and 71 percent of those incidents resulted in a data breach. The Institute found the average cost of a 2008 data breach to be $6.6 million. The potential exposure includes required notifications to those whose personal information is compromised, along with the brand damage.
Companies also face the risk of class action litigation from people whose personal information was stored on the stolen device. Most such lawsuits have failed so far because the plaintiffs have been unable to prove actual damages, but many experts think it’s only a matter of time before a stolen device leads to a big class action verdict.
David Johnson, a partner at Jeffer Mangels Butler & Marmaro, agrees that security technology can guard against such a court judgment. “You’ll be held liable only if there are actual losses to customers,” he says. “If you can delete data remotely and prevent those losses … then do it, make it happen.”
The most common solution to protecting digital data is whole disk encryption. Encryption software can make all data on laptops, smart phones and flash drives unreadable without access to the decryption key. State privacy laws eliminate the duty to disclose lost or missing personal data if data on the device is encrypted and the key is not kept with the device, according to Philip Gordon, chairman of Littler Mendelson’s Data Privacy and Data Protection Practice Group.
But problems arise because users may not understand the importance of protecting the data.
In the 2008 Ponemon study, 58 percent of non-IT business managers said their laptop data was encrypted, but a majority of them circumvent company security procedures.
According to the study, 56 percent of business managers had disengaged their laptop’s encryption, and 48 percent admit this is in violation of their company’s security policy. Fifty-eight percent said they kept the encryption key on a Post-it note attached to the laptop or on another personal document or shared the key with other people.
“Most of the time when encryption is defeated as a security measure, it is due more to the way the encryption was implemented, such as not securing keys and passwords, than to the underlying technology itself,” says James Zinn, a managing director at Huron Consulting.
Because encryption is often circumvented, some companies are turning to security products reminiscent of the weekly message to the covert operations unit in the classic television series “Mission Impossible”: “Good luck, Jim. This tape will self-destruct in five seconds.”
“[Remote destruction of data] seems to be an increasingly popular way to protect against theft or loss of corporate information,” Zinn says.
Regan McCarthy, president of BackStopp USA, says his company can remove data through a standard Internet, cellular (GSM/3G), Wi-Fi, WiMAX, GPS or RFID connection to a lost or stolen item. After locating a device, the system performs multiple overwrites, eradicating and making unrecoverable all target data in minutes.
“If a laptop has a Web camera, a picture of the thief can also be taken remotely,” McCarthy says.
Geoff Glave, product manager at Absolute Software, maker of Computrace and Lojack for Laptops, says his company can remotely delete data, recover missing computers and render them unusable–no matter if they’re on or off the Internet. It can also track a device to approximately 33 feet of its exact location.
Ensconce Data Technology owns a patent for an “Armageddon-version Dead on Demand” chemical technology deployed by remote trigger, which McCarthy says can destroy all data by releasing a caustic chemical without otherwise damaging a computer. That technology is not yet in production.
Another approach is to employ systems that lock the computer. The “Intel AT” (Anti-Theft) chipset, which is appearing in many new laptops, allows a user to initiate a remote lock on a lost or stolen device.
“So if you left your laptop on the subway, you could send it a message that it would receive the next time it contacted our monitoring center,” Glave says. “This message would ‘brick’ [or lock] the laptop. Once it is bricked, you can’t start it up, reinstall the OS [operating system] or do anything with it. If you’re the rightful owner you can unbrick it with your pass code.”
McCarthy employs a system he calls a “device holiday.”
“You say, ‘My computer is powered down at 5 o’clock at night, and if it ever comes alive again, I want you to kill it.’ It doesn’t even have to be on the Internet,” he says. The company can confirm with a user by a text message, or it can start deleting files automatically, depending on the user’s preference.
Zinn says other lockout technologies run on a BlackBerry or iPhone and automatically lock a laptop through a Bluetooth connection. “If I leave my office and have my BlackBerry or iPhone with me, my computer detects that that phone or BlackBerry is not near the laptop and automatically locks the machine if I forgot to do that,” he says.
Fingerprint readers on remote devices offer another solution preventing access to confidential data. Zinn says some manufacturers are building them into laptops and thumb drives.