An auditing firm for the Borrego Springs Bank experienced the theft of seven laptop computers.  It remains to be seen if hard disk encryption like AlertBoot was used to protect the contents, which contained clients' bank account information "as well as information from a number of other financial institutions," according to signonsandiego.com.

When you consider that almost all of the bank's customers were affected by this latest breach, using some kind of data protection program would have been ideal, if not a no-brainer.  I mean, you've got the foundation of all of your assets on seven laptops--what would you do?  Wouldn't you be a little paranoid?  Especially if their money ended up giving your bank a total deposit figure of $101,987,000?

Blame The Auditor?

Let's say that there was no encryption, which I'm hoping is not the case.  The circumstances hint that there wasn't: California doesn't require notification if encryption is used to secure personal information, and I'd imagine that most business would want to take advantage of such a provision in the law.  On the other hand, auditing firms usually have data controls and protection in place.

But coming back to the assumption of "no encryption."  Who's to blame?  Not the bank, in my opinion.  I mean, I'd blame them, too.  But if I had to choose, I'd have to blame the auditors.  After all, it's the auditor's computers that got stolen.

This is not about blaming the victim.  The truth is that theft happens, and companies that are in the business of dealing with sensitive data must ensure that certain protections are in place.  An auditing firm deals with sensitive data all the time.  They are privy to some of the most sensitive documents a company has to offer, and they know it.

When a company deals with such data, it's only natural that they should have thought about data protection policies a long time ago, ideally since the beginning, and implemented them.  Chances are that the laptops were not bank property.  This, in turn, means that the auditing firm copied data to its own computers, computers that they use for their everyday business.  Wouldn't it make sense for them to have at least full disk encryption on them?

After all, an auditor's laptop must be a treasure trove of information: SSNs, bank account numbers, corporate account numbers, contact details for C-level personnel, etc.

Blame The Bank?

The bank could have required the auditor to secure the client data via a contract, with hefty penalties if the auditor was in breach of it.  But ultimately, it wasn't in the position to enforce the terms.  And history shows that when you can't physically enforce it, many companies just pay lip-service.  The Gap, for example, had a data breach a couple of years back because a third-party contractor promised that The Gap's information would be encrypted.  It wasn't.

I guess the bank, in our scenario above, could have been pro-active and sent the information to the auditor in encrypted format using file encryption.  This, too, doesn't work most of the time.  Many companies, after receiving such information, will create a new file out of it, stripped from its protections.

For example, if the information arrives as an Excel spreadsheet, the information is copied over to a new Excel sheet.  In effect, the encryption just works to protect the information while it's being sent over the networks.  Once it arrives, it's still subject to all the security holes a company has to offer.

The reason?  Imagine having to type in a password every time you have to access a file. (Incidentally, this is why in some ways a hard disk encryption solution is better than file encryption program.)

Using Hard Drive Encryption

Hard drive encryption doesn't provide some kind of panacea for your data security woes.  But it's a particularly powerful and convenient way of managing and minimizing your data security threats.  Keep in mind the following points if you decide to use it:

• It's the hard drive that's encrypted.  This means that files copied off of it will be unprotected/unencrypted
• E-mailed files will also be unprotected since they're leaving the confines of the hard disk
• Make it a habit to shut down the computer completely after using.  Disk encryption can't protect your data if the laptop is up and running.  After all, you've got to type in your password when it starts up.  If your computer gets stolen while you were logged in, you'd better pray the thief shuts it down at some point.
• Don't write your password and stick it to the underside of your computer.  It goes without saying, but for some reason this happens.  A lot.

Related Articles and Sites:
http://datalossdb.org/incidents/1879-names-and-financial-information-including-account-numbers-and-balances-on-stolen-laptops