Theft of laptop and other mobile computing devices leads to identity theft

Here's a quote from a good article by Fran Howarth regarding the risks of theft of your mobile computing devices such as laptops, smart phones and flash drives.

"To be found on the laptop, the one or more mobile phones, and the handful of USB sticks held in the average briefcase today is a potential treasure trove of company assets. The cost of the physical replacement of all those devices should that briefcase be lost or stolen is not insubstantial in today’s expenses sensitive world, but that is just the tip of the iceberg.

Every one of those devices is likely to contain a great deal of data, from names, addresses and other information contained in contacts lists to intellectual property and other sensitive information related to work. Such information is valuable to thieves looking to steal material that could be used for identity theft or for corporate espionage.

Even if someone just publicised the fact that sensitive information has been lost, this can cause serious damage to the reputation of the organisation involved, as many companies and government agencies have found to their cost. And there may be serious ramifications if a device is lost that contains information that can be used to identify individuals. This is because regulations are increasingly demanding that individuals must be notified if a security breach such as that caused by a lost or stolen laptop leads to their personally identifiable information being compromised. This can result not only in reputational damage, but may also lead to financial loss as customers take their business elsewhere.

Such regulations are already in place in most states in the US and other countries worldwide, and the EU is currently examining similar legislation. However, many existing regulations related to security breach notification include at least one caveat—if the data held on portable devices that have been lost or stolen was encrypted, the data is considered to be adequately protected and no notification is necessary. Most importantly for the individuals whose information has been placed at risk, the chances of the data loss personally impacting them in a material fashion is minimised.

Encryption of course is no information security panacea. Rather it should be used in combination with other security controls and should therefore integrate with other tools in use to provide an extra layer of protection for the overall security arsenal. But, as companies refine their security architecture and policies with data leak prevention in mind, they should consider the use of encryption technologies for data on portable media, laptops, smartphones and similar devices."

The full article can be found here - http://quocirca.computing.co.uk/2009/07/security-on-the-move.html.