Should sensitive data be stored on laptops?
BOSTON, Massachusetts (AP) -- Every month seems to bring another episode of sensitive personal information escaping into the wild because a corporate or government laptop computer is lost or stolen. A common response is a lot of hand-wringing over how the data should have been encrypted.

But some key questions usually go unanswered. Why is so much private data allowed to be on laptops to begin with? What do people do all day that compels them to tote around records on, say, 26 million Americans, the staggering number seen in the recent Veterans Affairs case?

"It's pure laziness. There's actually no excuse for it," said Avivah Litan, a security analyst for Gartner Inc. "There's no good business reason for it."

Litan advocates a few simple steps: Organizations should keep sensitive information only on secure, centralized servers. Workers can access the data from PCs in the office or over private Internet connections, but can't store the records on their own machines to fiddle with them offline.

Many companies give storage-rich laptops to employees whether they really need them or not.

If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random "dummy" figures whenever possible, since the actual numbers aren't always relevant.

Following such rules would have prevented the scare that resulted when a laptop with veterans' data was burgled from an analyst's home May 3 (it was later recovered with the information apparently unaccessed). The VA inspector general told Congress that the staffer had been bringing data home for policy analysis since 2003.

It's true that encrypting data -- scrambling them with private codes -- can make whatever is found on a laptop almost impossible to read. But encryption often isn't turned on by users who think it degrades computer performance.

Consider the case of the ING Financial Services adviser who had Social Security numbers and other personal data for 13,000 District of Columbia employees on his laptop -- until the computer was stolen from his home last month. ING administers pensions for the district.

The adviser had broken ING rules by not having the data encrypted. ING responded by recalling all employees' laptops to ensure that encryption software was turned on and couldn't be switched off.

But the fact that the information was out of the office was not itself a violation.

ING officials said the adviser had the records because they corresponded to older pension plan participants who were more likely to call him for assistance. The adviser also wanted the data on hand for potential marketing efforts, such as to help decide whom to invite to a finance seminar.

Now, in light of the laptop episode, ING is reconsidering whether sensitive data should be allowed to leave the nest at all, even if it is encrypted.

Steve Van Wyk, ING's chief information officer, believes the emergence of ubiquitous broadband connections and secure Web-based business software have made it unnecessary for employees to store private data on portable devices. Not only is that data diaspora a security risk, but it also can be costlier for the company to make sure back-office files and mobile data are in sync, he said.

"The ability to control it and protect it may be best if it's centralized," he said. "Why even go through the vulnerability?"

To a large degree, the problem of personal data floating away with laptops stems from companies' tardiness in accepting just how valuable the information is. Otherwise such records would have long been treated like product designs, market intelligence and other business secrets that aren't allowed to leave secure central computers.

But it's not clear this problem will ever go away.

Many mobile workers want to keep information "locally" on their laptops so they can work efficiently while traveling, meeting with clients or pounding away in other settings where they can't connect to a network. That's why they're often allowed -- even encouraged -- to take laptops home.

That was the case for an employee of investment adviser Ameriprise Financial Inc. who had 158,000 clients' account information on a laptop stolen in January.

Ameriprise spokesman Steven Connolly said the worker was one of "very few people" in the company allowed to keep that kind of personal data on his own machine. Connolly would not explain what the man -- a corporate-level staffer who did not interact with clients -- did that required such intimate access.

In February, a similar theft hit an Ernst & Young consultant, who lost names, addresses and credit card information on 243,000 Hotels.com customers.

Ernst & Young spokesman Charlie Perkins would not say why the consultant needed to hold so much live personal information. Perkins said the firm was confident, however, that its policy of encrypting all 30,000 of its consultants' laptops -- a step that was being implemented when the theft occurred -- would prevent future incidents while preserving the staff's mobility.

Even if employees technically aren't supposed to walk out the door with computers, many will quietly transfer business files to iPods, "thumb" drives and other capacious storage devices, said Sunil Jain, senior consultant for Sprint Enterprise Mobility Inc., the services arm of Sprint Nextel Corp.

"It's much faster to download the data and then do the reports offline," Jain said. "It's just human nature."

Jain finds that even though he knows his company's central servers are supposed to back up key files every night, he does the same on his laptop just in case. He expects that's a common move, especially since many companies -- including his -- tend to give increasingly storage-rich laptops to employees whether they really need them or not.