I have to say, it boggles the mind. How can unencrypted data be lost or stolen on company laptops so frequently? A year ago, maybe. Two years ago, I would consider it pretty much the normal mode of operation to have unencrypted data on laptops. But, this is 2007. We have the VA laptop, the second VA laptop, the Equifax laptop, the Texas Commission on Law Enforcement laptop, the Boeing laptop, etc. The list is virtually endless and growing weekly.
Incidents like the data security breaches at retail giant TJX or Monster.com, while not related to laptops or other mobile computing devices, are also very high profile and should heighten the awareness of every organization and individual regarding the security of personal information. So, why is it that it keeps happening? Why are there still organizations and individuals carrying the personal information of employees, customers, or other individuals on insecure and unencrypted laptops?
My answer is money. As long as it costs more money to develop and implement the tools and processes necessary to secure mobile computing devices such as laptops or portable storage than it does to fall prey to having those devices compromised, organizations won't secure and protect them. If it costs more to deploy and administer whole disk encryption or other security solutions on laptops than it does to handle the fallout of a lost or stolen device, companies won't invest in the security solution.
Companies should do what is right, because it is right. They should take care of protecting customer data and employee information simply because they have an obligation to protect the sensitive information entrusted to them. Sadly, capitalism doesn't work that way.
Company executives answer to the shareholders, not the customers. There is a symbiotic relationship in that a lack of customers will lead to a lack of shareholders, but ultimately executives are more interested in the bottom line and the fast buck than in customer satisfaction or even the reputation of the company.
The problem is that the market supports this way of thinking. TJX was responsible for the largest compromise of data to date, and yet the stores are still filled with shoppers and the stock is up. If there are no repurcussions, what is the incentive to invest in security?
If they invest money in proper security, that money is gone for sure. It is a 100% certainty that the money will be lost to proactively defend against a scenario that may never occur. If companies roll the dice and don't implement increased security, there is a chance they will be the next morning paper headline and end up spending a good chunk of money to compensate those affected and rebuild their reputation. But, there is a chance nothing will ever happen and they get to keep all of their money. It is a gamble many companies are willing to take.
Until consumers start talking with their money- by refusing to do business with companies that don't take the responsibility for protecting their data seriously, companies will continue to gamble. Until companies like The Gap start talking with their money- by canceling contracts and refusing to do business with 3rd-party vendors that don't take the responsibility for protecting their data seriously, companies will continue to gamble. Companies answer to the dollar, so it is up to consumers, whether they have been affected or not, to put their money where their proverbial mouth is and stop trusting organizations that gamble with their identities and financial information.