Lost confidential information: what the organization should do and why

In the last 18 months, over 40 instances of stolen laptops containing sensitive information have featured prominently in the news. These thefts have the potential of unauthorized disclosure of personal records for over twenty eight million individuals. The organization’s efforts to lock down the workplace may have slowed thefts of desktops and removable media, but laptop thefts typically occur outside of the workplace. For IT asset management professionals the questions are “What is the organization’s responsibility to insure that sensitive data is not put at risk and how can I implement business practices to meet these expectations?”

The organization is indeed responsible for protecting sensitive data. According to Lawrence Husick, a noted Intellectual Property Attorney with the firm of Lipton, Weinberger & Husick, and faculty member at the University of Pennsylvania and the Johns Hopkins University, “The proprietor of the information has a legal obligation to maintain the security of information relating to its employees and those individuals with whom it does business. Beyond the stringent requirements of laws such as HIPAA, Gramm-Leach-Bliley and the California Security Breach Information Act, organizations need to take every reasonable precaution in safeguarding confidential information. This obligation also applies to third party accounting organizations, consultants, and law firms, in whom the proprietor places a special trust”. Husick added further that, “allowing confidential information to leave the office without extra measures such as automatic encryption may result in legal liability if the information is lost or compromised.”

So, what actions can the organization take to both reduce the risk?

Step One: Know where the sensitive data is kept

According to Ed Cartier, Senior VP of Eracent, which specializes in IT asset and information management solutions, “It is not difficult to scan all of the devices, even in a very large organization, and get a report of specific file types or file names on specified device types.” What about the elusive laptop? Cartier responded “Using Eracent’s technology, a member of the IT staff could easily obtain a list of all laptops containing the file types or file names that have sensitive information.” An automated network discovery and inventory system enables the organization to monitor what applications and information resides on specific computers or types of computers.

Step Two: Build business practices based on enforced policies

Policies are the rules organizations use to set a standard of behavior for their employees. These policies can greatly reduce risks of sensitive data loss. “Policy may forbid some devices to be removed from the premises, which can be enforced through vigilant and consistent discovery,” explained Cartier. Laptops are acquired to meet the needs of the mobile employee, so restricting the movement of the laptop is impractical. Unfortunately, that movement makes laptops an easy target for petty theft. In order to protect the sensitive data on those laptops, Cartier recommends that “the policy should require the personnel using the devices with sensitive data to encrypt the data. We enforce that encryption and the enforcement of all the policies by supporting the entire lifecycle of the device, ensuring that encryption continues even through the disposal process.”