Protecting Key Corporate Assets: Intellectual Property.........................
What if your company loses a laptop holding proprietary information, such
as CAD drawings of your next big idea or other forms of intellectual property?
The key to your success as a company is typically associated with protecting
key corporate assets and those assets are at least in part digital (if you are a
software company, they may be entirely digital). This is not strictly about
data privacy, but it is about data protection: keeping information from falling
into the wrong hands.Cinching Up the Kimono....................................................................
So, how is a company supposed to manage all of its information? Digitally
mark every bit of proprietary information? Digital signatures? Watermarking?276 Part IV: Managing the Flow of Information
Protecting employee information: Data loss at HP
In August 2006, Computerworldreported on the
results of a survey conducted by Ponemon
Institute LLC and Vontu Inc., a San Francisco-
based provider of data loss prevention prod-
ucts. The survey concluded that 81 percent of
reporting companies had experienced a theft or
loss of sensitive employee information — items
such as names, addresses, and social security
numbers. In most cases, the sensitive data was
on company laptops that had been stolen or
gone missing. One company that experienced
such a loss was HP.
In HP’s case, the laptop in this case was owned
by Fidelity. It contained data on approximately
200,000 HP employees and was to be used to
showcase new software that Fidelity said would
help HP in certain administrative tasks related to
HP’s retirement plan. According to an article in
the Register, Fidelity didn’t brief HP beforehand
that the data was to be used to showcase the
software in question. But the Registerwent on to
say that the loss of the laptop was, according to
HP, due to “human error.” Was the “humanerror” a case of an employee leaving the laptop
unattended, thereby resulting in its theft?
How did such an error occur, and who was
responsible for the loss of Fidelity’s laptop?These questions raise issues of oversight and
accountability, especially at Fidelity. A March
2006 CNetarticle mentions that no abuses of the
employee information had thus far occurred,
and that employee PIN numbers for the Fidelity
accounts were not part of the missing data. This
would seem to indicate that the accounts
wouldn’t be easily breached by anyone with
malicious intentions.
So many companies report a loss of employee
data (81 percent as cited earlier) that this IT GRC
issue should raise serious concern for security
and IT professionals in all companies, even
those with small employee databases. Best
practices in the area of data protection must be
considered, both for employee data and for
client data (which is really the problem in many
cases, including HP’s).