The Data Dilemma: Productivity Vs. Protection

These days, retail's data breach du jour is some manager's laptop getting stolen.

It's hardly even newsworthy any more, with among the more publicized victims being the HomeDepot, the Gap, Neiman Marcus, Starbucks, the IRS and the classic Veteran's Administration theft.

Typically, the laptop's data is either not encrypted or is encrypted behind a simple (most likely guessable) password. Alas, those fingerprint biometric authentication devices for laptops never seemed to catch on.

Like most IT problems, this issue avoids any easy answers. Today's corporate office is being flooded with low-cost data transportation options, from laptops to PDAs to multi-GByte memory sticks and form factors inbetween. This is a good thing for productivity and convenience, making the lives of telecommuters and frequent travelers easier and productivity better.

When wireless with borderline broadband speeds get thrown in, the temptation to take advantage of this productivity potpourri is almost irresistible for knowledge workers on the road.

Speaking of travelers, Thursday's Washington Post gave movable managers—especially those globally-oriented—more data threats to fear. The story spoke of airport security screeners seizing laptops—and PDAs and other data devices—for multi-day inspections and sometimes ordering the passenger to type in their password, exposing all confidential data. Sometimes, data was deleted.

The story speaks only about transportation from the U.S. to other countries, but there's no reason that it couldn't just as easily expand to domestic flights.

Both situations—laptops getting stolen and getting inspected by persons unknown—are quite troubling.

Breach letters are being sent out so frequently that I wonder if it's going to pique the business interests of Hallmark. A card for every occasion, when you care enough to breach the very best. Perhaps a merger with their Get Well cards? "Sorry to hear that you're not getting around much these days.... [open card] .... but your CVV sure as heck is. Call 1-800-DATA-OOPS for your free year of credit monitoring, courtesy of your neighborhood retail chain."

Or perhaps a birthday card morph? "Great News! I just heard it's your birthday today .... [open card] .... Bad news! I heard about it while reading an Eastern European hacker listserve. Sorry about that. Here's credit monitoring until your next birthday, courtesy of your local physician group."

But what are the technology options? It's a tad bit insincere for retailers to express indignation at their mangers taking home confidential-data-laden laptops when they're not aggressively enforcing any data policies. Truth be told, most senior execs like seeing workers being so efficient off-site and they tend to discount the probability of being hurt, until it happens.

The main options are to:
  • Ban confidential corporate data from leaving the office
  • Require that all confidential data must be accessed solely from the server, with nothing being stored on anything that leaves the building
  • A compromise between the two, such as allowing proprietary data to leave the office but no private customer data. At least that avoids the dreaded letters from going out to customers.

    No matter which option is chosen—and there are plenty of other alternatives, of course—enforcement will be next to impossible. The only practical enforcement tool is the most unpleasant one: "Here are the rules and we take them seriously. We're not going to search you and the security guard won't search your laptop for SS numbers. But if your laptop gets stolen or damaged and we later learn that such data was on it, you're fired and we might even have to sue you. Are you willing to take that risk?"

    It's the kind of a memo that IT management hates sending, but retailers must decide how to strike the right balance on customer data.

    Personally, I'd encourage the inbetween step. After all, it's better to compromise on your data policy than to have your policies compromise your data.