At least not to an unencrypted laptop device...
The 2nd quarter of 2008 demonstrates the absurdity of a few lost/stolen laptops affecting thousands of people. Laptops that stolen from Hospitals , Banks, Schools, and government organizations, contained unencrypted private data of thousands of people (employees, former employees, students, clients, patients).
"The computer is password protected" is no longer an acceptable argument to relieve the affected people. Organizations still are not stepping up to their responsibility to govern the data, and to minimize the damage caused by the loss of laptops.
Take the Stanford University case as an example: 62,000 current and former Stanford employees are affected by this theft. The laptop contained their name, address, phone number, and SSN. Why? Well, according to Stanford's announcement the relevant table was erroneously copied to the laptop. The University mentioned that its information security policies and guidelines disallow storing unencrypted sensitive data on any unprotected system. This is a pretty restricted policy, but obviously its implementation is not audited.
With today's database activity monitoring and security solutions, It is possible to restrict the types of activities users perform with sensitive data without completely denying access to this data. After all, it is not enough to have a policy that forbids storing of unencrypted data on laptops, but cannot prevent it or at least issue an alert when data is jeopardized. Effective controls can actually detect the move of sensitive records or entire tables across the enterprise and in particular onto end-stations (not to mention mobile ones), giving the organization a heads-up before mishaps take place.
AT&T stolen laptop is the same story, different organization. Again the data on the stolen laptop included names and SSN of AT&T employees. The data was not encrypted, and AT&T declares that this is a violation of its policy. But why they are aware of this violation only after the laptop was stolen?
On both incidents the organization claim to have detailed accurate information of the data that was on the laptop, so we can assume that they do have some auditing on their database. Unfortunately, their audit trail does not give them real ability to govern the database on real time, and enforce their security policy. It is only a damage control system that functions after the damage has been done.
Leave a comment