By BRIAN BERGSTEIN AP Technology Writer
BOSTON (AP) -- Every month seems to bring another episode of sensitive
personal information escaping into the wild because a corporate or
government laptop computer is lost or stolen. A common response is a
lot of hand-wringing over how the data should have been encrypted.
But some key questions usually go unanswered. Why is so much private
data allowed to be on laptops to begin with? What do people do all day
that compels them to tote around records on, say, 26 million
Americans, the staggering number seen in the recent Veterans Affairs
"It's pure laziness. There's actually no excuse for it," said Avivah
Litan, a security analyst for Gartner Inc. "There's no good business
reason for it."
Litan advocates a few simple steps: Organizations should keep
sensitive information only on secure, centralized servers. Workers can
access the data from PCs in the office or over private Internet
connections, but can't store the records on their own machines to
fiddle with them offline.
If they absolutely need to analyze data out of the office, the
employees should run programs that replace live credit card or Social
Security numbers with random "dummy" figures whenever possible, since
the actual numbers aren't always relevant.
Following such rules would have prevented the scare that resulted when
a laptop with veterans' data was burgled from an analyst's home May 3
(it was later recovered with the information apparently
unaccessed). The VA inspector general told Congress that the staffer
had been bringing data home for policy analysis since 2003.
It's true that encrypting data _ scrambling them with private codes _
can make whatever is found on a laptop almost impossible to read. But
encryption often isn't turned on by users who think it degrades