1. Data Protection Policy Compliance using Notebook Hard Disk Drive Encryption

2. Encryption: one element of Smart Security
Security Involves Several Focus Areas

3. Why Data Encryption? Breaches Can Be Costly!
When a breach occurs, organizations can lose money.
They may be required to publicly disclose the breach, significantly damaging an organization’s public image.
They are generally required to notify persons whose information was exposed - involving communication costs & perhaps financial compensation.
They may experience lost productivity costs when staff is repurposed to address a breach.
They may face fines from the FTC or business partners.
Many industries are now subject to governmental regulation and/or industry security compliance guidelines

4. Costs of a Security Breach
2007 Estimated Cost/Lost Record
Forrester Research: $90-$3051
Ponemon Institute: $1972
Direct Costs
Notification Costs - organizations can incur costs associated with legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers
Lost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controls
Fines
Certain federal privacy statutes include fines for violations that can amount to tens of thousands of dollars3
In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure4,5
In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in February 20056
Lost Shareholder Value and Goodwill
Stock prices can take temporary or long term drops – eg, an Atlanta-based data broker had lost about 20% of its stock value 2 years after losing 163,000 personal records7
Footnoted references are recorded at the end of this presentation.

5. Who can be Affected? Virtually Everyone!
Any organization can be at risk if, for instance, they lose employee records
Retailers & Merchants
• In October 2007, a national home supply retailer announced that a laptop with the personal data of about 10,000 employees was stolen from the car of a regional manager
• In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems
• In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computers
Healthcare & Insurance
• In March 2007, one of the nation’s largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared
• In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional office
Government Agencies
• In November 2007, a federal agency investigated the theft of personal computers containing the names of 12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency
• In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computers
Educational Institutions
• In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical data
Banking & Brokerage
• In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer system
Credit & Payment Agencies
• In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer information
Accounting
• In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile

6. What can organizations do?
Strong data encryption can protect private information from unauthorized access
Data encryption can help address federal and state privacy requirements*
At least 39 states have enacted legislation requiring the notification of security breaches involving personal information**
Many federal laws that have been enacted also seek to ensure protection of private information
Encryption can be hardware-based or software- based
Hardware-based: Seagate® Momentus® Full-Disk Encryption (FDE) drives
Software based: Software encryption solutions exist from a variety of third-party independent software vendors
*Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state
**According to the National Conference of State Legislatures, December 12, 2007

7. Hardware vs. Software Encryption
Dell FDE Hardware Solution
(FDE + Wave)
Software Encryption
Items encrypted
Everything (boot files, all folders, etc)
Encryption keys stored within the drive (closed environment = tougher encryption)
Some SW solutions omit boot files and possibly temp files
Performance
Encrypts as fast as the drive can write
Doesn’t utilize system CPU/memory
Uses system CPU power (estimated 3-4% performance degradation)
Manageability
Simple installation & deployment
Centralized management with purchase of Wave ERAS software
May experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors)
Risk that remote mgmt SW may not work well with some SW encryption solutions
HDD Disposal
Quick and secure “Erase” for HDD disposal or repurpose
Not available with most SW; would have to utilize current HDD destroy methods (time consuming)
OS Support
Microsoft® Windows® XP support thru Dell
Windows Vista® supported by Wave Systems Corporation
Many solutions support Windows 2000, XP, and Vista®; some support Linux®
Compliance Certifications
FDE drive is NOT currently FIPS compliant (primarily a Fed certification)
Many solutions have been NIST Certified FIPS Compliant
Encryption Options
Fully encrypts data stored on the hard drive
Full disk encryption on the hard drive
Optional encryption for removable media (i.e. USB keys, external HDDs, etc)
Deployment
Full deployment requires full scale replacement of existing HDDs
HW agnostic; allows full deployment across existing PC infrastructure. Does NOT require full scale replacement of HDDs
Dell recommends hardware encryption for new system purchases.

8. Dell FDE Hard Drive Solution
Solution Components
Select Dell™ Latitude™ D-series notebooks*, with
Seagate Momentus 5400 FDE.2 hard drive
Dell Embassy Security Center with Wave Trusted Drive manager
Wave Embassy Remote Administration Server Software (running on your Dell server)
Implementation of Dell’s Security Best Practices
ENTERPRISE NETWORK
Embassy®
Remote
Administration
Server
LOCAL PC
FDE DRIVE
Embassy®
Trusted Drive
Manager
Seagate®
DriveTrust™
Technology
Implementation of Dell’s Security Best Practices
* Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations 8

9. Dell FDE Hard Drive Solution
Dell Embassy Security Center
Single-user Solution
This offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following features
Authenticate user in BIOS
Simple Sign On capability
Single-user passwords management
Manual backup and restore for keys
Factory-installed software
Key Components
Seagate Momentus FDE hard drive
Factory-installed Dell Security Center with Trusted Drive Manager
Single-user
Solution
Managed Enterprise Solution
Using the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With ERAS server software, you can…
Enable remote deployment & management of FDE hard drives
Take ownership of TPMs
Enable identity & authorization provisioning from Active Directory
Embassy Remote
Administration
Server
(ERAS)
* Note: Additional Wave security solutions detailed in backup slides 9

10. Client Encryption Evaluation Program
Cross-over
Network cable
Reviewer’s
Guide
“Client” System with
Dell Embassy Security Center
“Server” System with
Embassy Remote Administration Server
Program
Client Full-Disk Encryption Evaluation Program
Program Scope
14-day technology evaluation program
Two systems:
- “Client” system with Dell Embassy Security Center
- “Server” system with Embassy Remote Administration Server
Key Features
Step-by-step Reviewer’s Guide, showing how…
- To initialize and enable drives
- To add/remove users
- To remotely manage credentials
- The FDE drive is protected from a hacker
- To decommission or re-commission a drive using “Erase” function

11. Backup Materials 11

12. References
“Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007.
"2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute.
Health Insurance Portability and Accountability Act of Public Law , 104th U. S. Congress, August 21, 1996
“Visa and MasterCard take new steps to stop credit card fraud,” Jeremy Simon, Creditcards.com Article, November 27, 2006 (
“Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data”, Visa Corporate Press Release, December 12, 2006 (
ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, Federal Trade Commission Press Release, January 26, 2006
“The Hidden Cost of IT Security,” Network Security Journal, Cindy Waxer, April 16,