How many times do laptops containing personal details have to be stolen from cars before companies responsible for sensitive details realise that sticking the data on a laptop and leaving it in a car is a really, really stupid idea?

Surely, someone should have invented a strong security keyfob by now, which has to be used for a laptop to start up or read any data from the disc. You could argue that a disc can always be read using forensic software, but there must come a point where it just becomes not worth the effort in trying to hack into a disc.

There must be technology around which will render a disc unusable if it is probed too much.

Jon

Losing your own stuff through theft is bad enough, but losing the sensitive data of many others is downright negligent. I don't mean to blame the 3rd party employee whose car was broken into; I would assume that he/she took enough humanly possible precautions to avoid the theft. The real anomaly is that (such being the case) the method of carrying out their work requires the dragging around of all that data on a laptop/usb stick/mobile hdd/whatever in integral and complete form.

Surely 'security through obscurity' is the key here. If there are no names, but only numbers in a data table, then its theft is of very little use to ID fraudsters.

I have a friend who work for the justice dept. She does quite a lot of work from home, on her laptop, involving sensitive (criminal) information. If her laptop should go "missing" there would be no security compromise. All her work is done using a secure, encrypted VPN to the courthouse servers. Nothing is stored locally. This is not just a good idea, it is a legal requirement.

Perhaps in the light of the increasing frequency of data theft, it should become mandatory for people who have access to the private information of individuals to use such technology as proves to be acceptably secure. This is in fact a legal requirement under European data protection law. Organisations found to be carelessly storing private data can be fined.

Anyway, if you use an excel spreadsheet as the basis of your payroll database, you deserve a severe spanking.

Cor

Yet another firm has never heard of IT security, and one that handles payroll information at that.

At this rate hackers and botnet-controllers will be put out of business by opportunist thieves and brain-dead file-sharers.

How many times does this have to happen before it becomes mandatory for encryption of certain data types such as payroll? With programs like TrueCrypt being free and relatively easy to use (certainly easier than payroll programs!) there is really no excuse. If access to that information away from the office is really so important, then so is protecting it!

I think the previous comments have said all there is to say on this subject but I'll add my contribution anyway............

A secure VPN is a very good way to work but not always easily accessible, depending on where you are when you need access to the stored data; hence data often does have to be stored on the laptop/media.

With large capacity memory sticks being easily available there is no reason, or excuse, to store sensitive data on a laptop unless you need fast access for the 'database' application.

As has been pointed out, many encryption tools exist that will 'lock down' a data file or an entire PC if needed. My personal favourite is PGP which I use to protect the files containing my various account and personnal details which I store in numerous files (all in one folder) on my laptop. If I ever do forget the long but memorable pass-phrase, its written down neatly in a sealed envelope in my desk drawer at home.

What is needed is awareness and education, as well as legal requirements and enforcements for organisations that hold other people's data. I look forward (in a way) to the next news item of this type. I just know that there will be one.

Of course, Staff who can work from home as part of their contract should have a secure access. For the rest, if the employers didn't require staff to work well beyond their contracted hours they wouldn't be taking the stuff home to work on.

such laptops SHOULD have hard drive encryption. even a basic auditor would be dumb not to ensure that was company policy. I can foresee that even with Vista, many companies just arent going to use BitLocker. 'too much effort' and 'you're very paranoid arent you?' would be the usual comments.

1. If the employee works from home as part of his normal contract, what on earth is ANY company data doing on the laptop, rather than being reached over VPN on a secure, shared drive? How about back-up of changed data etc.?

2. If working from home is extra to the normal working hours, sort out the resourcing, that makes this necessary, to make it unnecessary.

3. As said, data on disc can be encrypted on the fly (lucky MAC OS users have this available as standard software).

4. Many laptops now can be secured by requiring a fingerprint to enable booting.

5. As has been said, data that really must be taken off site can be on a USB memory stick that can itself be secured with passwords, encryption etc..

Too many people honestly believe that nothing on their laptop is sensitive or believe that their presentations hold nothing confidential and, if lost, can be recreated within a few hours (my partner for one), whatever you tell them, whatever horror stories they read.