Stoopid IT Tricks: Fidelity and the case of the missing laptop

Due to conditions beyond my control, today I bring you yet another edition of Stoopid IT Tricks.

First the good news: you really only have to worry about this particular problem if your company has workers using laptops, or if you yourself work at HP (or one of its acquisitions) and participate in their 401(K) plan. If you don’t fall into one of those categories, you are off the hook.

Having now eliminated 0.1% of my readers, onto the topic at hand.

On March 22, Fidelity Investments, a very large Boston-based mutual fund company, sent out a security alert to 196,000 customers. Why? Because a laptop with personal information about them had been stolen. What kind of personal information? Oh, you know, the usual stuff: names, birth dates, Social Security numbers, compensation records, and so forth.

The presumably good news – bear with me here – is that most laptops are stolen because someone wants a laptop, and not because of the data that is on it. The bad news, of course, is that if you are an end-user, you may be the one who takes the hit.

Most of this problem goes away of course if the data is encrypted. In the real world however, almost no data on laptops ever sees an encryption algorithm.

Was the Fidelity data encrypted? Hah! Fidelity said that the license to the software that contained the data has expired and “as a result, the scrambled data is difficult to interpret.” I guess that is OK at Fidelity, although it is my understanding that, generally speaking, an “expired license strategy” is not an accepted best practice when it comes to securing data on a disk.

In fairness to Fidelity, it seems to have been prompt in letting the HP employees know what had happened. Give Fidelity a point for that… but minus 10,000 for its laptop security.

If you are an IT manager, do you have any idea what your company’s legal exposure might be whenever a laptop goes out the door unprotected? Do you have any idea what your personal exposure might be if something like this happens and your job title indicates you have responsibility for stored data? My guess is that this would not be what most job recruiters would call a career-enhancing situation.

As we know from other contexts, no one should go out into the world without appropriate protection. If your company’s employees travel with laptops, this is probably a good time to start thinking about locking down all that laptop data, making it as protected as the rest of your company’s data. You have several options: GnuPG and TrueCrypt offer freeware options for most laptop operating systems; if your travelers run MacOS, the Apple Web site is probably your best bet.

If this doesn’t interest you, then I certainly do not recommend you go to ConsumerAffairs.com and look for references to lost corporate laptops. There is absolutely no reason to search there for a story on how three weeks ago, two Verizon laptops “went missing”, along with information on many Verizon employees. And by all means don’t rummage around for other examples, like the loss via missing laptop that Ameriprise (an American Express subsidiary) suffered, venting into space information on 150,000 customers last December.

P.S. If you work for IBM, this is no time to gloat when you next see your friends from HP. Ernst & Young, which oversees some of your plans, lost a lot of your data, including “personally identifiable information,” two months ago. It seems another laptop went astray.

And now for today’s other good news: The 2nd Annual Great Storage Haiku Contest is almost upon us! More on that coming soon.