Wednesday, May 23, 2007

60% of Enterprise Data on Laptops

I was chatting with Jim Sheward, Chief Executive Officer, Co-founder and Director of Fiberlink, this morning, and he clued me into a data point I had not heard before.

According to research conducted by IDC, fully 60% of the data inside a Global 2000 organization is replicated on laptops that leave that organization. Put another way, 60% of enterprise data is mobile - and only 40% of the data stays within the perimeter.

Whoa, I hear you say - no way. That just can't be possible - not at any company I have shares in/gave blood to/parked my money at. Well, let's explore.

* March, 2005. UC Berkeley. A laptop was stolen containing personal information on 98,369 graduate students and graduate-school applicants.
* November, 2005. Boeing. A laptop is stolen containing a human resources database with 161,000 social security numbers and bank accounts.
* April, 2006. Union-Pacific. A laptop was stolen with the names and Social Security numbers of 30,000 current and retired Union Pacific employees.
* May, 2006. Equifax. A laptop containing Equifax employee names and Social Security numbers of "nearly all of Equifax's 2,500 U.S.-based employees" was stolen from a worker traveling on a train in Europe.
* May, 2006. Ernst & Young/Expedia/Hotels.com. A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on 243,000 Hotels.com customers.
* June, 2006. Department of Veteran's Affairs. Social security numbers and dates of birth of about 2,200,000 active-duty, National Guard and Reserve troops were likely stored on a PC stolen from a VA employee's home. That device also contained information on 26,500,000 U.S. veterans.
* June, 2006. YMCA.
A laptop computer containing personal information on 65,000 members was stolen, including credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children.
* July, 2006. Williams-Sonoma. A laptop stolen from the Los Angeles home of a Deloitte & Touche employee conducting an audit for Williams-Sonoma contained information on 2,600 employees, including payroll information and SSNs.
* July, 2006. US Dept. of Transportation. A special agent's laptop stolen from a vehicle in Miami contained names, addresses, SSNs, and dates of birth for 80,670 persons issued with commercial drivers licenses in Miami-Dade County, plus 42,800 persons in FL with FAA pilot certificates, and 9,000 persons with FL driver's licenses.
* July, 2006. US Navy Recruitment Office. Two laptop computers with information on more than 4,000 Navy recruiters and applicants were stolen.

* August, 2006. Chevron. A laptop was stolen from "an employee of an independent public accounting firm" who was auditing its benefits plans containing SSNs and sensitive information related to health and disability plans of up to 59,000 workers.
* August, 2006. PSA Healthcare. A company laptop was stolen from an employee's vehicle that contained 51,000 names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.

* September, 2006. General Electric. An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business.
* October, 2006. Gymboree. A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of upwards of 20,000 employees.
* October, 2006. T-Mobile USA
. A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage.
* October, 2006. U.S. Army Cadet Command. A laptop computer was stolen that contained the names, addresses, telephone numbers, birth dates, Social Security Numbers, parent names, and mother's maiden names of 4,600 applicants for the Army's four-year ROTC college scholarship.
* November, 2006. Internal Revenue Service. According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs.
* November, 2006. Kaiser Permanente. A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained 38,000 names and Kaiser ID numbers, alogn with date of birth, gender, and physician information.
* November, 2006. Philip Morris. 5 laptops were stolen from Altria HR consultant Towers Perrin, allegedly by a former employee, containing the details on 18,000 past and present employees.
* November, 2006. Starbucks. Starbucks lost four laptop computers containing employee names, addresses, and Social Security numbers for more than 60,000 current and former US employees.
* December, 2006. Boeing (again). A Boeing Co. employee loses a laptop containing "the names and social security numbers of hundreds of thousands of employees and retirees".
* December, 2006. Electronic Registry Systems. Two computers (one desktop, one laptop) were stolen containing cancer patient registry data for more than 63,000 patients at several area hospitals.
* December, 2006. KeyCorp. A laptop computer stolen from a KeyCorp vendor contained personally identifiable information, including the social security numbers of 9,300 customers in six states.
* January, 2007. North Carolina Dept. of Revenue. A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee containing personal information on 30,000 taxpayers.
* February, 2007. Kaiser Medical Center. A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients.
* March, 2007. Los Angeles County Child Support. Two laptops were stolen containing data on almost 250,000 individuals.
* April, 2007. Baltimore County Dept. of Health. A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of 6,000 patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen.
* April, 2007. Chicago Public Schools. Two laptop computers contain the names and Social Security numbers of 40,000 current and former employees was stolen from Chicago Public Schools headquarters.
* April, 2007. ChildNet. Laptop stolen from an organization responsible for managing Broward County's child welfare system. The laptop contained personal information on 12,000 adoptive and foster-care parents including financial and credit data, Social Security numbers, driver's license data and passport numbers.
* April, 2007. Neiman Marcus Group Inc. Neiman Marcus acknowledged this week that sensitive information on up to 160,000 current and former employees was housed on a laptop stolen from one of its consultants.
* May, 2007. Texas Commission on Law Enforcement Standards and Education. A computer was stolen from the state agency that licenses police officers. It contained personal information on 230,000 individuals - every licensed peace officer in Texas - including SSNs, driver's license numbers, and birth dates.

No, I didn't make that last one up. It actually happened. And so did all the rest. And this is just a tiny, tiny sample of the reports.

It begs the question, is there any enterprise data left to steal? Are there any enterprises that wouldn't show up on this list, given enough search time?

It also creates another question - are we allocating our expenditure on security the right way? If fully 60% of our data is now moving through the revolving door, shouldn't we be defocusing the perimeter, and focusing more on end point security?

The answer is, of course we should - and companies like Authentium and Fiberlink are well-placed to meet those needs.

But in addition to beefing up end point security, administrators need to start questioning the need for data to "grow legs" - before it leaves the building.

No comments: