During the last months several laptop thefts made the news. Kevin Costner’s case did some noise, but the loss of pictures from his wedding was hardly something to raise a general privacy concern. Then came Ernst &Young with four stolen laptops and thousands of personal data records exposed. Few weeks later Boeing revelead that a second laptop has been lifted containing the names, social security numbers and other sensitive information of thousands of current and former employees.

Even more scaring came the news about stolen US military laptops in Afghanistan: hard disk and flash memory drives are on sale in local bazaar! The Los Angeles Times wrote:

A reporter recently obtained several drives at the bazaar that contained documents marked “Secret.” The contents included documents that were potentially embarrassing to Pakistan, a U.S. ally; presentations that named suspected militants targeted for “kill or capture,” and discussions of U.S. efforts to “remove” or “marginalize” Afghan government officials considered “problem makers” by the U.S. military.

All the journalistic accounts about these thefts suggested several countermeasures: using encrypted file systems and enrolling employees to security trainings were the more commons.

I felt that everybody was failing to catch the obvious … Eventually Calvin Powers, senior software engineer at IBM and blogger at The Privacy Place got it right:

I believe that no level of encryption or any security measure would stop the reporter from writing a story about a lost laptop with personal information. The reason for this is that the personal information should have never been on that laptop in the first place!

It is difficult for me to imagine anyone in E&Y needing immediate access to that many people’s records at one time. Who would physically have time to individually look at the information? And more to the point, why must the E&Y employee have the personal data on his personal laptop?

This is where the real problem is! Sensitive information shouldn’t be stored on laptop and even desktops. These kind of equipment are not designed to guarantee adequate protection of data.

In this age of an increasingly pervasive internet, it’s difficult for me to imagine a situation in which the personal data couldn’t be kept on a secure server in the E&Y network and accessed remotely from the laptop over a secured VPN.

This could be an effective solution: usually corporate servers are well guarded and offer an higher level of security than laptops and desktops.

But what about people not belonging to large and technologically educated companies? What about independent professionals?

What about the privacy aware laymen?
How should they handle their sensitive information?

Any suggestion? Post your answer on your own blog or leave a comment below. Thanks!