Information Security Office Riverside County Information Security Office

Laptop Theft: How Serious? More than 600,000 laptop thefts occur annually, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. Safeware Insurance, 2003 According to Gartner, the chances of a laptop being stolen this year are 1 in 10. Gartner Group, 2002 Gartner estimates approximately 70% of all laptop thefts are internal. Gartner Group, 2002 Laptop theft has been attributed to 59% of computer attacks in government agencies, corporations, and universities during 2003. Baseline, 2004 80% of those surveyed acknowledged financial losses due to computer breeches. CSI/FBI Computer Crime and Security Survey, 2002 97% of stolen computers are never recovered. FBI Nearly 40 percent of victims do not report computer intrusions. CSI/FBI Computer Crime and Security Survey, 2005 81% of companies surveyed “reported the loss of one or more laptops containing sensitive information during the past 12 months.” “Data Loss Common for US Firms” PC World, August 17th, 2006

Data Theft: How Serious? 67.7% of respondents report the estimated value of proprietary data on their stolen computing device at $25,000 or less; 9.2% estimated the value at $1,000.000 or more and 2.3% estimated the value at more than $10,000,000. The value of proprietary data on respondents stolen Computers averaged $690,759.61 per stolen Computer. 45.6% of respondents report other items were stolen at the time of the Computer theft, with removable media (including spare disks, stored files on CDs, removable media and spare hard drives) accounting for 21.8% of the additional stolen items. Average total replacement cost of stolen computing devices was $14,227.27 per device. This does not include the cost of the data on the computing device. 2003 BSI Computer Theft Survey

It’s not the Laptop – It’s the Data!

What’s an Identity Worth? 208 Identity Incidents this year September, 2006: Telesource – 11 SEP 06 (Social Security numbers and other personal information found in dumpster) Cleveland Clinic (Florida) – 8 SEP 06 (Social Security numbers, dates of birth, addresses and other details of 1,100 patients stolen) University of Minnesota – 8 SEPT 06 (Personal information of 13,084, including 603 Social Security numbers, on stolen computers) Linden Lab / Second Life – 8 SEP 06 (Names, address, and payment information of almost 650,000 on hacked server) BMO Bank of Montreal – 8 SEP 06 (Stolen laptop contains personal data for about 900 clients) Florida National Guard – 7 SEP 06 (Social Security numbers of up to 100 soldiers on stolen laptop) Chase Card Services – 7 SEP 06 (Tapes with information on over 2.5 million Circuit City cardholders thrown in trash) Transportation Security Administration – 6 SEP 06 (Social Security numbers and birth dates of 1,195 mailed to wrong addresses) Wells Fargo – 1 SEP 06 (Social Security numbers and names of Wells Fargo employees on stolen laptop) City of Chicago / Nationwide Retirement Solutions – 1 SEP 06 (38,443 names, addresses, Social Security numbers, and dates of birth on stolen laptop) Virginia Commonwealth University – 1 SEP 06 (Names, Social Security numbers, and email addresses of 2,100 exposed online) 3,206,922 – Just in September.

ISO Policy “Hardware & Software Control” ...[A]ll hardware and software shall be obtained from or authorized by the department head or their designated agent. This includes equipment such as Servers, PCs, Laptops, Printers, Cell Phones, Radios, PDAs, Telephones, portable media such as USB drives, CD-ROMs, CDRWs, DVDs, DVRs, [and] Software. Department heads or their designated approving agent will authorize the adding of any networked component that is connected either directly to the County’s Wide-Area-Network, indirectly connected via a Local-Area-Network segment, or attached to an existing system.

Board Policy H-26 Board Policy H-26: “As a minimum, departments will track laptop computers, and high-end cell phones, PDA’s and GPS receivers.” “Any device used to store sensitive data or connect to the county’s network will be tracked […]”

But what is Sensitive Data? HIPAA, Privacy Act, Personnel Data California Public Records Act California Government Code 6254.9 What about data that’s not covered?

Data Classification Policy ISO Proposed Board Policy Categorizes Public vs. Sensitive Data Defines categories of Sensitive Data Restricted Data Private Protected Intellectual Property Defines who decides what’s public and what’s sensitive. Defines who owns the data Still in work; under review by County Counsel

Theft or Loss Policy Many departments have no policy or procedures on the theft of loss of IT equipment or the data it may contain ISO Proposed Board Policy In the event of theft or loss, the employee must immediately notify the: Applicable Law Enforcement Agency (in the case of theft). Department ITO In all cases, Department must notify: Information Security Office Auditor-Controller’s Office Still in work; under review by CISO

What about Personally Owned Devices? Personally owned devices expand and blur the County’s information borders Introduces new entry points for hackers, viruses, and other dangers. In general, use of personally owned devices should be prohibited If a county employee needs a tool for a job, the county should provide it. Most uses of personally owned devices is for the users convenience – not the good of the County

What if a Department wants to allow Personally Owned Devices? See last slide – don’t! Department head is ultimately responsible for permitting use of Personally Owned Devices Authorization in writing List all required safeguards List any limits to it’s use Record specific acknowledgement that any county related information on the device belongs to the County

Questions?