Mission Possible: Encryption Software Isn't the Only Option for Shielding Data
Technologies protect companies from liability by locking or remotely destroying data on stolen devices.
February 28, 2010 at 07:00 PM
6 minute read
Online Exclusive: Plaintiffs data breach suits fail where they can't prove damages.
–
With the theft of portable communications devices at epidemic proportions–128,280 laptops and 106,000 cell phones were reported stolen in the U.S. in 2009, according to the FBI's National Crime Information Center–the expense of a possible data breach from stolen hardware remains an issue of concern for many companies.
As a result, technology companies are going far beyond the common data encryption software to systems that can remotely delete data, lock out thieves from accessing information, locate the missing laptop or portable device, and even transmit a photograph of the thief.
The technology is attractive to corporations because the cost of lost or stolen laptops skyrockets if the computer stored personal information such as birthdates and Social Security numbers. In a December 2008 Ponemon Institute study, 92 percent of IT security practitioners reported that someone in their organization had lost or had a laptop stolen, and 71 percent of those incidents resulted in a data breach. The Institute found the average cost of a 2008 data breach to be $6.6 million. The potential exposure includes required notifications to those whose personal information is compromised, along with the brand damage.
Companies also face the risk of class action litigation from people whose personal information was stored on the stolen device. Most such lawsuits have failed so far because the plaintiffs have been unable to prove actual damages, but many experts think it's only a matter of time before a stolen device leads to a big class action verdict.
David Johnson, a partner at Jeffer Mangels Butler & Marmaro, agrees that security technology can guard against such a court judgment. “You'll be held liable only if there are actual losses to customers,” he says. “If you can delete data remotely and prevent those losses … then do it, make it happen.”
Encryption Evasion
The most common solution to protecting digital data is whole disk encryption. Encryption software can make all data on laptops, smart phones and flash drives unreadable without access to the decryption key. State privacy laws eliminate the duty to disclose lost or missing personal data if data on the device is encrypted and the key is not kept with the device, according to Philip Gordon, chairman of Littler Mendelson's Data Privacy and Data Protection Practice Group.
But problems arise because users may not understand the importance of protecting the data.
In the 2008 Ponemon study, 58 percent of non-IT business managers said their laptop data was encrypted, but a majority of them circumvent company security procedures.
According to the study, 56 percent of business managers had disengaged their laptop's encryption, and 48 percent admit this is in violation of their company's security policy. Fifty-eight percent said they kept the encryption key on a Post-it note attached to the laptop or on another personal document or shared the key with other people.
“Most of the time when encryption is defeated as a security measure, it is due more to the way the encryption was implemented, such as not securing keys and passwords, than to the underlying technology itself,” says James Zinn, a managing director at Huron Consulting.
Data Destruction
Because encryption is often circumvented, some companies are turning to security products reminiscent of the weekly message to the covert operations unit in the classic television series “Mission Impossible”: “Good luck, Jim. This tape will self-destruct in five seconds.”
“[Remote destruction of data] seems to be an increasingly popular way to protect against theft or loss of corporate information,” Zinn says.
Regan McCarthy, president of BackStopp USA, says his company can remove data through a standard Internet, cellular (GSM/3G), Wi-Fi, WiMAX, GPS or RFID connection to a lost or stolen item. After locating a device, the system performs multiple overwrites, eradicating and making unrecoverable all target data in minutes.
“If a laptop has a Web camera, a picture of the thief can also be taken remotely,” McCarthy says.
Geoff Glave, product manager at Absolute Software, maker of Computrace and Lojack for Laptops, says his company can remotely delete data, recover missing computers and render them unusable–no matter if they're on or off the Internet. It can also track a device to approximately 33 feet of its exact location.
Ensconce Data Technology owns a patent for an “Armageddon-version Dead on Demand” chemical technology deployed by remote trigger, which McCarthy says can destroy all data by releasing a caustic chemical without otherwise damaging a computer. That technology is not yet in production.
Lock Out
Another approach is to employ systems that lock the computer. The “Intel AT” (Anti-Theft) chipset, which is appearing in many new laptops, allows a user to initiate a remote lock on a lost or stolen device.
“So if you left your laptop on the subway, you could send it a message that it would receive the next time it contacted our monitoring center,” Glave says. “This message would 'brick' [or lock] the laptop. Once it is bricked, you can't start it up, reinstall the OS [operating system] or do anything with it. If you're the rightful owner you can unbrick it with your pass code.”
McCarthy employs a system he calls a “device holiday.”
“You say, 'My computer is powered down at 5 o'clock at night, and if it ever comes alive again, I want you to kill it.' It doesn't even have to be on the Internet,” he says. The company can confirm with a user by a text message, or it can start deleting files automatically, depending on the user's preference.
Zinn says other lockout technologies run on a BlackBerry or iPhone and automatically lock a laptop through a Bluetooth connection. “If I leave my office and have my BlackBerry or iPhone with me, my computer detects that that phone or BlackBerry is not near the laptop and automatically locks the machine if I forgot to do that,” he says.
Fingerprint readers on remote devices offer another solution preventing access to confidential data. Zinn says some manufacturers are building them into laptops and thumb drives.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllRepublican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
4 minute readSo You Want to Be a Tech Lawyer? Consider Product Counseling
FTC Lauds Withdrawal of Proposed Indiana Hospitals Merger After Leaning on State Regulators
4 minute readHow Qualcomm’s General Counsel Is Championing Diversity in Innovation
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250