How to Keep Portable Data From Escaping

As far as Joseph Gimigliano is concerned, the best way to deal with a laptop or handheld device being stolen isn’t to run down the street yelling, “Stop, thief!”

“We’re trying to make what they steal not valuable,” says Gimigliano, associate director of architecture and security at Purdue Pharma, the Stamford, Conn.-based company that makes painkillers such as OxyContin. “It’s not the laptop that’s of value. It’s the data that’s on it.”

To that end, Purdue Pharma, like a lot of other companies right now, is testing methods of encrypting data on laptops, starting with the least expensive option of all—using features built into Microsoft products that Purdue already uses. Compliance is a big driver, especially for companies that have personal information about customers saved on portable devices. That’s because some of the emerging privacy breach disclosure laws—California’s SB 1386, as well as a data accountability bill being considered in Congress—don’t require companies to disclose a breach if the personal information on a device was encrypted. The idea behind such rules is that even though the device went missing, the information on it wasn’t really compromised.

“Any reasonable type of encryption method will get the ‘hackee’ off the hook on disclosure,” says Erika S. Koster, a partner in the intellectual property group at Oppenheimer Wolff & Donnelly, a law firm in Minneapolis. Koster notes that whether a company opts for full-disk encryption or an emerging category of “policy-based” encryption doesn’t really matter from a compliance standpoint (although better security generally means better defense against lawsuits).

But encryption isn’t the only option for protecting both laptops and an increasingly loaded bevy of handheld devices, from PDAs to supercharged mobile phones. Companies also have to weigh where a password is enough and if not, assess what authentication method to use to access the device. And they also can consider software that either deletes sensitive information or traces the device if it is indeed stolen. Many of the options in this last category are even built into existing products. Purdue, for instance, has taken advantage of a feature built into the popular BlackBerry that allows the device to be remotely reset if it’s lost or stolen.

To help you sort out all the options, we talked to David Friedlander, a senior analyst at Forrester Research, and Eric Maiwald, a senior analyst at the Burton Group. Then we did a whole lot of legwork and a little bit of shopping. The results are presented in our first-ever buyer’s guide to securing portable devices. [We’ve made the guide available as a one-page PDF.] We even threw in a couple of theft prevention options, although nothing takes the place of educating users about protecting their portables. (Please note that prices are approximate, and vendor lists are not meant to be all-inclusive.)

Whatever options you choose, though, don’t forget the least expensive risk-reduction method of all: not putting sensitive information on portable devices in the first place. At UPS—which is now evaluating its encryption options for 20,000 of its laptops—management embarked a couple years ago on an enterprisewide quest to remove Social Security numbers from all kinds of documents except in cases where they were absolutely necessary, like for processing payroll.

“We eliminated the use of [Social Security numbers] in hundreds if not thousands of places,” says Randolph Smith, a manager of information security. “All it required was a behavioral change. We have much less risk, and we have fewer things to worry about, at very little expense.”