How to Protect Data on a Laptop

Having a laptop stolen can be much more expensive for a business than just its replacement cost. Consider what happened when a consulting firm’s laptop was stolen with Hotel.com customer data on it.

The computer was taken from a parked car in Houston in February. It contained names, addresses and credit card information for 243,000 customers of the online travel agency.

As a result, the consulting firm, Ernst & Young, began notifying those customers in May. Just the first-class postage alone would cost nearly $100,000. Add the cost of hiring a public relations firm to deal with the inquiries -- which Hotels.com did -- staffing a hotline and paying for affected customers to have their credit monitored and the damage to both companies’ reputations, and all that makes the $2,000 cost of the lost laptop pretty insignificant.

“It can cost up to $90 per person” to notify and mollify customers affected by a loss of laptop data, said Robert L. Siciliano, chief executive of IDTheftSecurity.com.

All for lack of a $40 encryption program.

Even the Federal Trade Commission, the federal agency that protects consumer interests in data security breaches, is not immune. Last month, it reported that the personal data of 110 individuals, including names, addresses, Social Security numbers, dates of birth and some financial account numbers were on two stolen FTC laptops.

“Laptop security is definitely out of control,” said Avivah Litan, a vice president and analyst with Stamford, Conn.-based Gartner Inc., a research and advisory firm. “It is bordering on negligence.”

Whether there is more data being lost or just more companies are willing to report losses is unknown.

A 2003 state law requires all companies doing business in California to report the loss of any data that include a person’s name and a driver’s license, Social Security or credit card number. Experts believe the law has had an effect on the reporting of such losses.

Other states, including New York and Washington, have adopted similar laws. A U.S. Senate bill, modeled after the California statute and sponsored by Sen. Dianne Feinstein (D-Calif.), has languished in committee since it was introduced 18 months ago.

It is on laptops and other stolen equipment that the bulk of data are being lost. Sixty percent of information theft results from lost or stolen equipment and 25% from network intrusion, according to Pointsec, a Sweden-based data encryption software company.

Business travelers’ laptops are easy targets for thieves. A laptop is a valuable piece of equipment that we hang on our shoulders for the world to see. They are often stolen or left behind at airports and hotels and while travelers are getting in and out of cabs, said Ben Haidri, vice president of marketing for Vancouver, Canada-based Absolute Software.

“In this type of theft, the bad guy is going to sell it as fast as they can,” he said, often for as little as $25. “You see a dozen a week for sale in San Francisco on street corners.”

Absolute Software sells programs to help retrieve stolen computers and secure their data. Unbeknown to the thief, the first time a stolen computer with an Absolute program is connected to the Internet, the software is activated to work behind the scenes to help trace the computer.

Absolute’s LoJack for Laptops -- or Computrace for corporate customers -- silently sends messages to recovery officers at the software company.

They are able to find out information about the person using the computer. And it’s often not long before the police are knocking at the door. (Other companies that sell asset recovery programs include Brigadoon Security Group, CyberAngel Security Solutions Inc. and Trackion.)

Absolute says it recovers 90% of the stolen computers that log onto the Internet and contact its monitoring center. It takes 44 days on average to recover them.

A lot of sensitive data can be compromised in a month and a half. Absolute also has software that will slowly destroy all files on a stolen computer.

I had my laptop stolen from my home office in 2002. Although I had no sensitive customer data on it, like one-third of folks, I had not backed up my work, including several articles I was working on. Those stories and the work I had done on them were much more valuable to me than the $1,700 the computer cost.

Absolute is working on a program that Haidri said would be released in the fall and would allow the retrieval of important files from stolen computers -- even if you didn’t get the laptop back.

The other piece of this puzzle is encryption software. In the wake of the Hotels.com incident, Ernst & Young has installed encryption software on 30,000 computers.

Encryption programs are available from more than a dozen vendors including Pointsec, Utimaco Safeware and SafeBoot, analyst Litan said.

Perhaps the best way to avoid data loss is to not have it on laptops at all.

“Never allow employees to transfer sensitive data to unmanaged systems” such as laptops or personal computers, Litan said.

“If they insist on having data on their laptops, get rid of the identifying information,” she said. “If you steal data that doesn’t include hard information [such as Social Security numbers], there’s not a lot of damage you can do.”

Or even better, don’t lose your laptop in the first place.

Siciliano reduces the risk of losing his laptop by taping his picture and business card to it. It protects against the generic announcement through the public address system: “Will the person with the dull gray laptop report back to security?”

“If you have your business card on it, then they call your name to go back to security,” he said. “Or if you leave it in a hotel room, you immediately get a call.”

James Gilden can be reached at james.gilden@latimes.com.