A company can tell customers that data on a missing or stolen device was encrypted, but that will do little to quell anxiety unless there's actual proof that was the case, one security expert said after Home Depot and Iron Mountain admitted losing sensitive data on employees and other individuals.
Atlanta-based Home Depot acknowledged Wednesday, the names, home addresses and Social Security numbers of 10,000 employees -- most from the Northeast -- was stored on a laptop stolen from the car of a company manager in Massachusetts. Company spokesman Ron DeFeo told The Associated Press (AP) that no customer data was on the device and that there's no indication of fraud thus far. He said the laptop was password-protected but didn't say if the data was encrypted.
In a separate incident, Boston-based data-protection and storage company Iron Mountain Inc. admitted it lost a decade's worth of bank account data and Social Security numbers for almost all Louisiana college applicants and their parents during a move when a driver apparently failed to follow company security procedures. The driver reportedly lost a case full of backup data for every Louisiana application for federal student aid from 1998 through Sept. 13, 2007, according to Melanie Amrhein, executive director of the Louisiana Office of Student Financial Assistance. The data was being moved from Iron Mountain's Port Allen facility to Baton Rouge. It's unclear if the data was encrypted.
"We certainly don't want to create any panic. But people should be aware and take the necessary steps," Amrhein told the AP. "This is backup data off of a mainframe that contains sensitive personal information."
The incidents are just the latest in a long list of security breaches in the last two and a half years involving the loss or theft of devices housing sensitive data or the theft of information directly from company computer networks. Some of the most recent breaches affected those doing business with TD Ameritrade, Johns Hopkins Hospital, Pfizer and several academic institutions such as the Brevard Public Schools District in Florida and the University of South Carolina.
When stolen data is encrypted, companies are quick to point it out as a way to ensure customers that their identities are safe. But companies must do more than say the data was encrypted. They must be able to show proof that was the case, said Steven Sprague, CEO of Lee, Mass.-based trusted computing applications and services provider Wave Systems Corp.
"If you buy encryption you need to work with the company's legal department and top executives on a process where you can prove data on a stolen device can't be tampered with," he said. "A cradle-to-gave transaction record on the server is one way to provide an inventory on the current state of all your drives. Another, more difficult approach is to write everything down."
He said it helps if a company can show it is using a reputable vendor to put a barrier around stored data, and mentioned Seagate Technology as an example. The Scotts Valley, Calif.-based hard drive maker said this week it will roll out enterprise-class drives with full disk encryption in 2008 and will push to make hard-drive encryption standards a reality to reduce complexities that could hinder adoption.
Two standards bodies, The Trusted Computing Group (TCG) and the IEEE 1619.3 are establishing a security protocol for communicating with self-encrypting hard drives and creating a key management standard to ensure interoperability between the vendor products. Wave Systems has representation on the TCG's board of directors.