Promise me you’ll return to this blog piece, but go ahead and open a new tab and search for “stolen laptop.” Filter the search results for a specific year. Or refine the search within an industry, eg. healthcare or financial. Too many results. Too many incidents. The U.S. Department of Health and Human Services, Office for Civil Rights, has a breach portal – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf – only incidents involving more than 500 PHI records are in the database. Search for theft of laptop.
Stolen laptops from a car, home or office. Lost, misplaced, theft or burglary. All industries have been affected – healthcare systems, clinics and labs, state and city agencies, universities and schools, accounting firms, financial and insurance firms, energy and gas companies, the largest soda company in the world…
After a laptop is reported stolen, one of the first defensive action is to disable access of the laptop and the employee into the corporate domain. Removing user access from the corporate domain does not disable local access to the stolen laptop hard drive. Bypassing the desktop logon can be as easy as a Google search. Or mounting the hard drive to another operating system. Files and data can then be accessed, in clear text.
Access to the desktop can lead to access to the laptop owner’s personal email or other saved logins. Logins to a 3rd party vendor that may have sensitive information on clients and patients. Or the vendor site may have programmatic or API access for the thief to pivot to another site for additional information and access.
Laptops can contain local databases containing PII or PHI. Or downloaded lab reports for a patient. Or email attachments of tax documents for a mortgage refinancing application. Or credentials to other database portals.
More companies are encrypting the mobile devices they provide their employees, but many still do not. Furthermore, too many employees are accessing work email or downloading client documents on their own personal devices.
An enterprise security program should include the encryption of its hard drives, particularly in laptop drives. The policy should include encryption of its data-at-rest. This is the additional layer of security where ALL the data, the entire physical hard drive, is encrypted.
All the files in the drive remain encrypted when the laptop is powered off. Upon powering on, the user is prompted for a password to decrypt the drive, which will then continue to boot up to the logon into the operating system desktop. Without the first (encryption) password, the drive and all its data – system and data files – remain encrypted.
The requirement for encrypted hard drives may vary by industry, whether the vendor is under a military or government contract, or operating under PCI- or HIPAA- compliance. But if one of your corporate laptops gets stolen and the first thought that crosses your mind is, “I hope it doesn’t contain any of **MY** sensitive information?,” then that laptop needs to be encrypted.
It should be company policy to encrypt all company-issued laptop drives. Even if the drive does not have any PII or PHI, work documents, e-mail and browser history access alone through the stolen laptop can be used to obtain further access into sensitive corporate, staff, customer or client information. Whole volume encryption will secure the data-at-rest. Well, it’s a start.