Laptop Security

By Steve Muck - Published, October 29, 2008

The following is the July 2008 summary of recently reported losses or breaches of personally identifiable information (PII) involving laptops or thumb drives. Laptop security continues to be the foremost vulnerability in the Department of the Navy. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Privacy Office.

• 01 Jul 08 - Government laptop stolen from locked hotel room.
• 07 Jul 08 - Laptop stolen from locked rental car while employee on TAD.
• 11 Jul 08 - Government laptop stolen from locked government vehicle.
• 14 Jul 08 - Government laptop stolen from locked government vehicle.
• 16 Jul 08 - Government laptop stolen from guarded staging area.
• 17 Jul 08 - Personally owned vehicle stolen with government laptop in trunk.
• 25 Jul 08 - Government laptop stolen while on foreign travel.
• 28 Jul 08 - Personal thumb drive stolen from government office.
• 30 Jul 08 - Government thumb drive stolen from government office.
• 31 Jul 08 - Personal laptop stolen from locked personally owned vehicle.

Lessons Learned

The majority of these thefts could have been prevented had the safeguards below been followed. Refer to the Naval message issued by the DON CIO, "Safeguarding Personally Identifiable Information (PII)" of April 2007, for detailed guidance.

• Storage of any form of PII is prohibited on personally owned laptop computers, mobile computing devices and removable storage media.
• When removing portable electronic equipment from a government-controlled workspace for compelling operational needs, the device must be signed in and out, with a supervising official designated in writing by senior leadership, when it contains 25 or more records containing PII.
• Laptop computers and mobile computing devices and the data stored on removable storage media must be password protected. Refer to DoD Instruction 8500.2, "Information Assurance (IA) implementation," of Feb. 6, 2003, available from the Defense Technical Information Center (DTIC) web site.
• Most thieves steal electronic equipment for its street value, but smart thieves know they can make significantly more money -- if they can access privacy information to commit identity theft.
• Automobiles are easy targets for thieves looking to make a quick buck. Locking your car is not sufficient protection for the contents inside or your personally identifiable information. Do not leave PII in your car; this includes personal mail and your vehicle registration. Thieves especially like to target ball fields, shopping malls and health club parking lots because they know that vehicles will be unattended for lengthy periods. If you must leave your laptop in the car, remove it from view. Be careful not to be seen locking a laptop in the trunk and park in a well-lit area.
• A good theft deterrent is placing a warning label on laptop computers that specifies the laptop contains hardware security controls that render the machine unusable.
• Encryption of data on all portable electronic devices is another good deterrent. If your laptop is not protected by the DON enterprise encryption solution, the use of WinZip software is authorized. WinZip is available on most Navy Marine Corps Intranet desktops.
• Train personnel on the security and safety risks associated with portable electronic equipment and the DON requirements for safeguarding PII.

Additional laptop security information can be found on the DON CIO web site (search on "laptop") and also on the Federal Trade Commission web site at www.ftc.gov.

Steve Muck is the DON CIO privacy team lead.

TAGS: Privacy