As far as Joseph Gimigliano is concerned, the best way to deal with a laptop or handheld device being stolen isn't to run down the street yelling, "Stop, thief!"
"We're trying to make what they steal not valuable," says Gimigliano, associate director of architecture and security at Purdue Pharma, a drug company. "It's not the laptop that's of value. It's the data that's on it."
To that end, Purdue Pharma, like a lot of other companies right now, is testing methods of encrypting data on laptops, starting with the least expensive option of all — using features built into Microsoft products that Purdue already uses. Compliance is a big driver, especially for companies that have personal information about customers saved on portable devices. That's because some of the emerging privacy breach disclosure laws in the US don't require companies to disclose a breach if the personal information on a device was encrypted. The idea behind such rules is that even though the device went missing, the information on it wasn't really compromised.
"Any reasonable type of encryption method will get the 'hackee' off the hook on disclosure," says Erika S Koster, a partner in the intellectual property group at law firm Oppenheimer Wolff & Donnelly. Koster notes that whether a company opts for full-disk encryption or an emerging category of "policy-based" encryption doesn't really matter from a compliance standpoint (although better security generally means better defence against lawsuits).
Encryption isn't the only option for protecting laptops and the increasing array of handheld devices, from PDAs to supercharged mobile phones. Companies also have to weigh whether a password is enough and, if not, assess what authentication method to use to access the device.
They can also consider software that either deletes sensitive information or traces the device if it is stolen. Many of the options in this last category are even built into existing products. Purdue, for instance, has taken advantage of a feature built into the BlackBerry that allows the device to be remotely reset if it's lost or stolen.
Whatever options are selected, however, it's important to remember that the least expensive risk-reduction method of all is not putting sensitive information on portable devices in the first place. At UPS — which is now evaluating its encryption options for 20,000 of its laptops — management embarked a couple years ago on an enterprise-wide quest to remove Social Security numbers from all kinds of documents except in cases where they were absolutely necessary, like for processing payroll.
"We eliminated the use of [Social Security numbers] in hundreds if not thousands of places," says Randolph Smith, a manager of information security at UPS. "All it required was a behavioural change. We have much less risk, and we have fewer things to worry about, at very little expense."