Laptop Data Theft: A Preventable Crime

Laptop computers get lost and stolen all the time -- it's a fact of life. But it's time to throw the book at companies that still don't understand how to protect the data stored on these systems.

Almost every week, yet another high-profile laptop data theft makes the news. While there is no easy way to keep a laptop PC safe, it is absurdly easy to ensure that the data on a lost or stolen laptop never creates a security risk.

A few months ago, bMighty.com published my comprehensive guide to using a tool called TrueCrypt. This application can protect the data on a hard drive with encryption that is, for all practical purposes, unbreakable. It can encrypt individual files, an entire disk or disk partition, or even an entire desktop operating system.

TrueCrypt is an open-source application that enjoys a stellar reputation among security professionals. Anyone, including businesses, can download and use it completely free of charge. And TrueCrypt is incredibly easy to work with, even for non-technical users.

Other data-encryption tools, both open-source and proprietary, are also available. Many of them are quite good. So why do we keep reading about colossal acts of stupidity like this? Or this?

If you keep important personal data on a laptop, what happens to that data is your business. But honestly, it's hard to feel sorry for someone who can't take a common-sense security measure -- and pays the price as a result.

Businesses, however, are a different matter entirely. At this point, when a business laptop gets stolen with sensitive, unprotected data on it, there are two criminals: the thief who stole the laptop and the company that failed to protect its customers by using a data-encryption tool.

Here's a suggestion. Set up a certification program for companies that protect laptop data with robust, effective encryption tools. Companies that participate can fund the program themselves and agree to random audits of their laptops.

When a certified business loses a laptop, indemnify it against lawsuits related to the missing -- but protected -- customer data. Currently, for example, a small business that fails to protect its customers' data properly could face years of Federal Trade Commission audits. If a company can prove that the data on a stolen laptop was properly encrypted, reward it by making it exempt from such punitive measures.

Does that sound too complicated? Actually, I think it sounds a lot less complicated than some other laptop data-protection schemes that make headlines but have absolutely no chance of making a real difference anytime soon.

And what about companies that still don't get the message? Throw them to the wolves. They deserve what they get.