Executive Overview - A Strategic Approach to Securing Mobile Data
Published: January 22, 2007 | Updated: May 29, 2007
You might be reading this document from the screen of your laptop computer, or perhaps while waiting for a plane to your next destination. Or perhaps you're at home on the weekend trying to catch up on your to-do list. But do you ever consider whether all the information on your laptop is really secure? What if it's stolen, or if one of your employees loses a laptop? Are your latest designs and marketing plans protected? Is your customers’ private information secure? Or will your organization be the subject of the next news headline for losing thousands of customer records?
"U.S. Survey: Confidential Data at Risk," a recent study by the Ponemon Institute, states "eighty-one percent of 484 survey respondents report that their organizations have experienced one or more lost or missing laptop computers containing sensitive or confidential business information in the past 12-month period."
Concerned? You should be, because losing laptops is a serious problem. With their ever-increasing capacity, laptops can store massive amounts of business and personal information. They are ubiquitous and extremely effective mobile tools, but losing confidential data on them can significantly impact your organization's bottom line, customer goodwill, and legal standing with regard to government-enforced legislation. It can even cost you your job.
However, it is easier than you might think to take steps that can help address these challenging issues. Microsoft has technologies that can help—and you might already have them. In fact, if your organization uses Windows Vista™ or Microsoft® Windows® XP Professional, you already have many of the tools you need. Your organization’s IT department can help control this problem with the free downloadable Microsoft Data Encryption Toolkit for Mobile PCsthat can help organizations such as yours enable the encryption technology that you already own.
The Microsoft Data Encryption Toolkit for Mobile PCs can help protect your organization by reducing the risk that carelessness or simple bad luck will devolve into a major incident and significant loss of time, money, and reputation. The Toolkit, which will be released in the second quarter of 2007 as a free download, uses the Encrypting File System (EFS) (available with Windows 2000, Windows XP Professional, and Windows Vista) and BitLocker™ Drive Encryption (an important new data protection feature in Windows Vista). The Toolkit will also include the EFS Assistant, a tool that helps centrally manage EFS encryption.
Business and technical managers must understand their scenarios, the regulatory climate, and mitigations for data exposure risks. The Microsoft Data Encryption Toolkit for Mobile PCsfocuses mainly on the issues of protecting data that resides on mobile computers. However, the same concepts, concerns, and solutions also apply to desktop computers, which face similar risks because of the potential for theft and unrestricted access scenarios.
Consider the following account of a fictitious company’s data disclosure event, which illustrates the problem and possible ramifications.
"Contoso, a midsize technology company located in Canada, produced a widget that customers ordered through its Web site. Personally identifiable information in the Contoso database included customer names, credit card numbers, addresses, and telephone numbers. Customers were from Canada, the United States, the United Kingdom, and France.
At Contoso, a hard-working junior analyst named Nicolas frequently took his work home with him. Before he left work one day, Nicolas copied a spreadsheet of customer information to his laptop so he could run reports against it. That same night, his laptop was stolen from his car while he was shopping. Nicolas immediately reported his loss to his manager and the police.
Nicolas and his manager discussed the incident with the company’s legal department as well as with outside counsel. Nicolas and his manager learned through these discussions that all of their customers would need to be notified of the possible disclosure of their personal information. They immediately produced an explanatory letter to send to customers and set up a hotline to answer customer questions. In addition, they offered one year of credit monitoring for every customer in the database to help prevent identity theft.
Unfortunately, these efforts did not end their problems. Even though there was no indication that the lost data had been used for illicit purposes, several class action lawsuits were filed on behalf of customers in the United States, France, and the United Kingdom that accused Contoso of gross violations of consumer privacy rights. The story was soon picked up by major media outlets, and culminated in a page 2 story in The Wall Street Journal. Within weeks of the loss of the laptop, the company’s stock had lost 8% of its value because of the likely effect on the sale of their widget product. In addition, the hard costs of the incident totaled some $600,000."
A reasonable summary of the costs associated with the preceding story is shown in the following table.
Unfortunately, laptops are easy theft targets. News stories appear with increasing regularity about companies that have accidentally lost or had stolen laptops with sensitive personal or customer information. Although the preceding story is fictitious, an increasing number of real organizations are learning that the costs of such a disclosure are enormous—sometimes orders of magnitude greater than those referenced in the story!
Many calculators are available that can help you compute the true cost of a privacy breach, including the Privacy Breach Impact Calculator available on the Web site of Information Shield, a global provider of information security leading practices.
Organizations that experience a data-disclosure incident face immediate direct operational costs. Examples include internal investigations, consumer hotlines, training and support documentation for call center personnel, direct mail notices to customers, credit card monitoring services, and advertising and marketing to address customer concerns. In addition, a strategic IT initiative will likely be established to prevent such an incident from ever happening again. All of these activities require countless hours of management oversight and distract organizations from their true business.
Brand Damage and Lost Confidence
It's difficult to measure the impact of loss of reputation, the umbrage of customers at their loss of privacy, or the loss of relationship with business partners. The specific circumstances of each incident, brand loyalty, and the success of damage control efforts are all factors that affect how much a brand might be damaged by such a disclosure event. In some cases it might take years to fully regain the lost confidence and trust of consumers.
In addition to business risks, many government agencies around the world are responding to their citizens' privacy concerns by establishing significant civil and even criminal penalties for failing to protect private data.
North American Regulatory Considerations
In the United States, more than 30 states have passed statutes that require organizations (commercial or otherwise) to notify consumers in the event of accidental or illicit data disclosure. Provisions of these statutes are triggered by the lack of encryption of private data. In other words, encryption of private data is explicitly prescribed to mitigate data risks. Besides these state regulations, several federal regulations provide similar restrictions and penalties, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act (SOX).
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Health Information Protection Act (PHIPA) mandate strict protection and establish requirements for protecting private data.
European and Asian Regulatory Considerations
In the European Union, the European Data Protection Directive, as implemented by each EU Member State, significantly restricts what consumer data can be kept or maintained by organizations. These restrictions apply to organizations that operate from non-European nations but that have European customers. This Directive sets forth strict guidelines about what private data can be kept and how it can be used, resulting in much international debate and confusion about how the Directive should be applied around the world. These issues are far from settled.
Other important consumer protection regulations might also apply to your organization, such as the United Kingdom’s Data Protection Act (DPA). Like the Canadian regulations referenced earlier, the DPA mandates strict protection and establishes requirements for protecting private data, although the Canadian and United Kingdom regulations are not consistent in their approach to data storage.
Many Asian nations are also developing formal regulations and attempting to adopt consistent approaches through such organizations as the Asia-Pacific Economic Cooperation Telecommunications Working Group (APECTEL). Singapore, Chile, Australia, China, and Indonesia are all working diligently to establish a unified approach to these issues that honors each nation’s public attitudes about free speech, political and economic freedom, and personal privacy. An excellent summary of these approaches is available in the Caslon Analytics privacy guide from Caslon Analytics, an Australian research, analysis, and strategies consultancy.
Organizations with customers in any of these countries are subject to significant civil and sometimes criminal penalties for failing to properly protect their customer’s private data, no matter where the organization itself is located. If your organization maintains private data (the definition of which varies greatly), you must develop a thorough understanding of the constraints that international jurisdictions place upon your data storage policies. Even accidental violations of these regulations can expose organizations to substantial civil fines, business closures, possible criminal charges, and significant legal consultation and trial fees. As a result, many CEOs and board members seek solutions that increase data protection and help ensure compliance.
Helping to Mitigate Risk with the Data Encryption Toolkit
The Microsoft Data Encryption Toolkit for Mobile PCsdescribes two effective and low-cost solutions for data encryption. The Toolkit is a valuable resource for any security professional who needs to resolve data security issues on mobile computers. Effective implementation of the guidance provided in the Toolkit can help organizations meet certain regulatory requirements. In addition, these technologies provide especially attractive solutions because they are already licensed with the Windows XP Professional and Windows Vista operating systems.
The Toolkit is based on the Encrypting File System (EFS) and BitLocker Drive Encryption, both of which provide robust encryption mechanisms but serve slightly different purposes. The Toolkit provides detailed information about how these security technologies work. It also describes scenarios for which each technology is appropriate, provides deployment best practices, and considers operational issues such as key and data recovery. The Toolkit will also include the EFS Assistant, which will be released in the first half of 2007 to help automate the deployment and configuration of EFS on protected computers.
Toolkit features include the following:
BitLocker Drive Encryption
BitLocker Drive Encryption, a new feature in Windows Vista, provides a seamless way to encrypt all data on an entire hard disk volume. When BitLocker is configured, it works transparently in the background and does not affect typical use of the PC or its applications. BitLocker encrypts the entire volume, so it can prevent many attacks that try to circumvent the security protections in Windows that cannot be enforced before Windows has started.
BitLocker also offers enhanced security for encrypted data by using a security hardware module called a Trusted Platform Module (TPM). TPMs provide offline storage of root encryption keys and an optional personal identification number (PIN) that would be necessary to unlock the disk encryption. TPMs currently ship on laptops from almost all major vendors, including Compaq, Dell, Lenovo, and Toshiba.
Encrypting File System (EFS)
EFS provides seamless data encryption for user-selected folders and individual files. After encryption is enabled, the user experience is transparent. EFS can also help protect against intruders who use certain known attacks to gain unauthorized access to the computer.
Microsoft Encrypting File System Assistant
The Microsoft Encrypting File System Assistant (EFS Assistant) tool complements EFS—it provides an automated, probabilistic way to detect which files should be encrypted. Like EFS, it is essentially transparent to users. It can be configured to regularly scan the hard disk for new data files that are likely candidates for encryption. This functionality mitigates the risk of new user data files being created but left unencrypted and thus exposed.
We recommend that you consider your options for protecting confidential data on mobile PCs by reading the Microsoft Data Encryption Toolkit for Mobile PCs Security Analysis. This document will help you understand the special risks presented by laptops, as well as how BitLocker and EFS can help address these risks. You can also use the Planning and Implementation Guide to help guide you through the process of deploying BitLocker and EFS. Finally, if you want to use EFS to protect data on your mobile PCs, you should investigate the EFS Assistant as a way to centrally control EFS in your environment.