Eye-openers: Lazar recommends restricting the placement of personal identifying information on laptops. For instance, don't tie customer or employee names to other identifiers, such as Social Security or credit card numbers; alternatively, you can truncate those numbers. Also, consider creating your own unique identifiers by, for example, combining letters from an individual's last name with the last four digits of his Social Security number.
Second, require personal information on laptops to be encrypted, despite the potential cost (US$50 to $100 per laptop) and performance hit that involves, says Lazar. This needs to be accompanied by consciousness-raising, says Blair Semple, storage security evangelist at NetApp and vice chairman at the Storage Networking Industry Association's Storage Security Industry Forum. "I've seen situations where people had the capability to encrypt but didn't," he says. "Scrambling the bits is the easy part; it's the management and deployment that's hard."
Third, Lazar recommends policies requiring very strong passwords to protect data on stolen devices.
2. Insider Theft
In November 2007, a senior database administrator at Certegy Check Services, a subsidiary of Fidelity National Information Services, used his privileged access to steal records belonging to more than 8.5 million customers. He then sold the data to a broker for US$500,000, and the broker resold it to direct marketers. The employee was sentenced to over four years in jail and fined US$3.2 million. According to company officials, no identity theft occurred, although affected consumers received marketing solicitations from the companies that bought the data.
In another high-profile case, a 10-year veteran scientist at DuPont downloaded trade secrets valued at US$400 million before leaving the company in late 2005 to join a competitor in Asia. According to court records, he used his privileged access to download about 22,000 document abstracts and view about 16,700 full-text PDF files. The documents covered most of DuPont's major product lines, including some emerging technologies. The scientist did this while in discussions with the competitor and for two months after accepting the job. He was sentenced to 18 months in federal prison, fined US$30,000 and ordered to pay US$14,500 in restitution.
Costs: In DuPont's case, the estimated value of the trade secrets was more than US$400 million, although the government pegged the company's loss at about US$180,500 in out-of-pocket expenses. There was no evidence that the confidential information was transferred to the competitor, which cooperated in the case.
According to Semple, theft of customer information is nearly always more costly than theft of intellectual property. In Certegy's case, a 2008 settlement provided compensation of up to $20,000 for certain unreimbursed identity theft losses for all class-action plaintiffs whose personal or financial information was stolen.