From large enterprise to small business and everyone in between, lost and stolen laptops are a real problem. Take for example the British Broadcasting Corporation (BBC). The BBC recently reported that over 170 laptops, tablets and mobile phones had been lost or stolen over the last two years. The devices have value of course, but even more concerning than the replacement cost is the potential for data that resides on that device to fall into the wrong hands.
Compliance fines for the failure to protect personal information from regulations such as GDPR, HIPAA and others are no laughing matter. In January, MD Anderson was ordered to pay $4.3 million in civil money penalties for HIPAA violations when they failed to encrypt protected health information (PHI) which led to the exposure of more than 35,000 individuals when a laptop was stolen and two thumb drives were lost in 2012 and 2013.
At Absolute, we have the Investigations and Recovery Team to track and recover lost and stolen devices on behalf of our customers. Since the team’s formation in 1993, we have helped customers around the globe recover more than 50,000 lost or stolen laptops over the years. In FY2018 alone, the team investigated more than 15,000 laptop incidents and successfully recovered 67% of them.
To track and recover lost or stolen laptops, the team takes the following steps.
Step 1: Assess the Situation
When a customer lets us know about a missing or stolen laptop, our recovery agents immediately assesses the situation using the investigative skills of our team members and our patented Persistence technology, which provides visibility into the state of the device and offers controls to remediate issues quickly, no matter whether it’s on or off the network.
Step 2: Contact Law Enforcement
Based on the initial incident assessment, we work with our contacts at over 6,500 global law enforcement agencies. All of our team members are certified in information security and most of them are former state and federal law enforcement agents who have significant investigation experience.
This step is extremely valuable to organizations because most don’t have the bandwidth to work with law enforcement agencies. Additionally, not all organizations — especially within an enterprise environment — authorize employees to be able to file a police report on the company’s behalf.
Step 3: Recommendations on Handling Data
If we determine that a missing device has sensitive information on it, we can also remotely freeze or delete the data and provide a Risk Analysis report within the first 72 hours to satisfy GDPR requirements. Our third-party assessment details risk action recommendations including whether or not the device was encrypted. This knowledge lets the company know if reporting the incident to affected individuals and regulatory bodies is required.
There are many reasons devices go missing – from simple, unintended misplacement to concerted theft efforts by organized crime rings. The Investigations and Recovery Team works with numerous industries including education, healthcare, financial, oil and gas, and others. Why? Because loss and theft unfortunately occurs everywhere and data protection is important to everyone.
One tip to leave you with: if one of your devices goes missing and you’re an Absolute customer, your first step should be to call us rather than institute a device freeze – even if you have that capability. Let our experts look into the incident and determine the best course of action. If needed, we will coordinate with law enforcement on your behalf and let you know if the device’s data was encrypted or not so you know if reporting will be necessary given GDPR requirements.
Finally, it’s important to remember that device tracking isn’t device recovery. Don’t attempt to recover a stolen device on your own. If a crime has been committed, let the professionals handle it.
Whether a device goes missing for accidental or malicious reasons, the risk is the same. How can you prepare your organization? Join the webcast, Lost or Stolen Devices: Your Plan for Effective Response on October 30.
Kevin is a Senior Director of Risk Management at Absolute Software. With over 15 years of experience in the information technology industry, Kevin has expertise in Information technology strategy, information security management, and application design and large scale system implementation. He has managed global cyber software implementations for fortune 500 clients. Prior to joining Absolute Software, Kevin was a Director in Cyber Risk Advisory Service practice at Grant Thornton.