Attn all researchers: How about we just not take work laptops home from work.

Are you kidding me?

Are you freaking kidding me??

Remember several months ago, the story about the PIs leaving their laptop in their car while they ate some Panera? And while they were NOMing someone broke into their car, stealing the laptop, and all their un-backed-up data?

And we are all like "OMFGWTF?"

"Who the hell leaves a laptop with that kind of information on it in their god damned car?? Who doesnt back up their data?? WAT??? ... Oh well, costly reminder for the rest of us."

YOU WILL NOT BELIEVE THIS.

Okla. health department laptop stolen

Nearly 133,000 people may have had personal information compromised after a laptop belonging to the Oklahoma State Health Department was stolen from an employee's car on April 6.

Stolen data may include names, birthdates, mailing addresses, Social Security numbers, medical records information, laboratory results or other data, according to the state agency.

*passesoutfromdisbelief*

More like this

This is probably the last thing I'm going to say about pseudonymous blogging. I plan to leave the issue behind forever. Or at least for a few days. The "argument" between DrugMonkey - PhsyioProf - BlaBlaBlaBlog ("the clique") and me has become sterile and senseless, primarily because the clique…
Just in case you are a physician looking for a reason to avoid drug reps, you should read this article on PLOS Medicine.  It is an enlightening, if sickening, inside view of pharmaceutical sales practices. face="Helvetica, Arial, sans-serif"> href="http://medicine.plosjournals.org/perlserv…
NOW. Do not read this post. Hook your computers up to your external hard-drives, back up your data, then come back to read this post. ... Okay, Im assuming the only people reading right now are people with Apple-->Leopard-->Time Machine, and already have things constantly backed up, or non-…
Homeland security is a priority for the Bush administration. I know that because they keep telling us. We have to take off our shoes and take out our identification getting on and off planes. Not just any identification, either. Official stuff. And crossing borders -- any borders, even the border…

For most researchers I know their work laptop is also their personal laptop so "not taking it home" makes zero sense. When it comes to government agencies you should only have a laptop if you need to routinely travel, or work from home, with that specific laptop. Again in that case leaving the laptop at the office makes no sense.

People just need to take better care of their stuff. And backup research regularly of course.

By Dan Gaston (not verified) on 21 Apr 2011 #permalink

Having recently suffered the 'loss' (harddrive recovery service eventually got it back after major $$$) of my thesis, I can wholeheartedly agree with the "BACK IT UP" sentiment. However, that wouldn't have actually helped here. Things that would have helped: not leaving the laptop in a car.

It's not the taking it home that's stupid, it's the failure to have:
1) automated backups to a central server
2) the master copies of everything stored on a network drive
3) full-disk encryption.

As Dan points out, a laptop you can't take out of the office is basically a desktop with really crappy specs.

By Corkscrew (not verified) on 21 Apr 2011 #permalink

I agree with Becca... Don't leave your laptop in your fucking car.

By Kemanorel (not verified) on 21 Apr 2011 #permalink

I'd say "Don't leave a visible laptop/laptop bag in a car. Tossing it in the trunk, stashing it under other stuff, etc in a car is usually going to be fine. You just don't want to be the obvious target of opportunity.

By Dan Gaston (not verified) on 21 Apr 2011 #permalink

As others have stated, the problem here is not the lack of backups, it's that sensitive data were allowed to be copied to a laptop and reside there in a format such that anyone in possession of said laptop could access it. That database should have been on a master server (with adequate backups--at least hourly, in this case) behind a heavy duty firewall, with only authorized users allowed access, and only for the purpose for which they need access; the only copies of that database that should have existed would be the backups. That level of security isn't the best possible (to do that you would have to have the database on a computer not connected to the network--Los Alamos protects their bomb codes that way), but it is an acceptable compromise given that authorized users need to be able to update the database.

By Eric Lund (not verified) on 21 Apr 2011 #permalink

Clearly what needs to be done is address the root cause: a society in which privileged people think its ok to steal things. If you disagree with this, or even suggest that the victim could have done a single solitary thing to prevent it, then you're blaming the victim and an evil tool of the kleptiarchy.

haha bizzaro day for me.

If my job provided me with a computer (a desk and cubicle/office would be grand, but a computer would be a good start) I wouldn't have to transport a laptop back and forth. Note that I don't do any work at home on my laptop.

I've always admired the approach the Queen's Messengers take: if the documents are really important, handcuff the case to your left arm. Only a really determined thief with a machete is getting those. It stops you leaving them on public transport, too.

By stripey_cat (not verified) on 21 Apr 2011 #permalink

if the documents are really important, handcuff the case to your left arm.

I thought was just good sense for all covert/secure transactions, at least on TV. Sure it's a little conspicuous but it's a little safer.

I've always admired the approach the Queen's Messengers take: if the documents are really important, handcuff the case to your left arm. Only a really determined thief with a machete is getting those. It stops you leaving them on public transport, too.

What if you duct tape it to your chest and hide it under a puffy coat?

By Drivebyposter (not verified) on 21 Apr 2011 #permalink

If it is the data of the researcher, I really don't care if they take the laptop home. Just back it up. They need to do that even if it stays at work.

But...

If that laptop has confidential information of 100 thousand people on it, then it should stay at work. No exceptions whatsoever. Any violator should be fired immediately -- no warnings. Indeed the data is worth millions. Taking it home should be as ludicrous as taking a suitcase filled with several million dollars in cash so one can count it at home. Indeed the data on that laptop is worth more than several million dollars. It is worth a lot more.

Indeed identity theft is such a problem that we might need to make it a crime to take the data home or to ever have it on a computer that is allowed to leave a secured location.

By Childermass (not verified) on 21 Apr 2011 #permalink

If one wants to risk their personal data or a company wants to risk its corporate data fine. But the moment the data is the private information of members of the public, the right to work were it is convenient ends.

And I don't care how good the encryption is. Because it if it is done wrong or not done at all, it is all for not. And human nature being what it is, I can guarantee that many won't do it right. And it is likely that we might never know it. And then we we have the problem that private info for 100,000 people is worth a lot on the open market.

And yes, I am aware how much of pain, nuisance, and expense what I am proposing can be. But that cost is nothing compared to the cost to the public if criminals get access to private information. For one person's data can result in thousands of dollars in losses.

By Childermass (not verified) on 21 Apr 2011 #permalink

Why is anyone in the least bit surprised that this happened?

Human stupidity is a limitless and perfectly renewable resource.

3, 5, and 6 are correct; 12 and 13 show a lack of knowledge of IT systems.

That said, why were those individuals not provided with IT support? Seems to me that their institution bears the responsibility for providing them the support they need to do their work in a manner that does not create added risk.

So far we have:

= The individuals didn't ask for support.
= The institution didn't offer support.
= The individuals left an unsecure machine in a high risk location.
= And a thief stole it.

Going on a blame game doesn't solve this: there were four points at which things went wrong that could have been prevented. A solution applied at any of those levels would have prevented loss of the data.

And the lesson is: don't let things fall through the cracks. When something breaks down at one level, someone at another level needs to step up to the plate and deal with it.

If you are in a situation where you need IT support to ensure the security and integrity of research data or other critical data, ask for that support, and keep doing it, in writing, relentlessly. Be nice but be firm and persistent. Accept whatever support is offered.

If you are being asked or expected to carry a machine containing unsecured critical data under risky circumstances (e.g. "take your laptop home tonight and finish the analysis"), raise the security issue in writing and ask for explicit directions as to how to proceed, and then follow those directions.

If at that point something happens, you have a "paper trail" with which to demonstrate that you have done everything in your power to prevent loss of data. Then you and whoever else, can escalate the issue through the institution as needed to prevent a recurrence. Sometimes it takes a significant loss before an institution recognizes the need for support resources. This, unfortunately, is human nature.

Its almost impossible not to have some PHI/confidential information on your hard drive (lap top or otherwise) if you work in health care.

I can't believe they didn't have the hard drive encrypted---Our university requires it, on laptops that are used for university "business".

They are idiots for not having a back up.

Its gotten boring reporting on all the negative papers, because they are all negative :-/

But just to make the point clear, if anyone missed it, it is beyond bizarre that XMRV cannot be found in HIV+ patients, if it is a real human pathogen.

Logical conclusion, taking this paper in isolation: XMRV is probably not a real human pathogen.

Logical conclusion, taking this paper in concert with all the other XMRV-/HIV+ papers, and all the other XMRV- papers, the papers putatively explaining XMRV+ results via contamination, and the bizarre nature of the XMRV+ papers: XMRV is not a real human pathogen.

Who doesnt back up their data?

I don't know. My guess would be liberal arts and soft science majors.

In other news, Some guy who looks oddly familiar is in a bit of trouble.

By William Wallace (not verified) on 23 Apr 2011 #permalink

John, you just don't understand >>>REAL SCIENCE<<< the way Limp Willy does.

And you never will.

Barring traumatic brain injury, of course.

By minimalist (not verified) on 23 Apr 2011 #permalink

Bah, that was meant to say "REAL SCIENCE the way Limp Willy does." At least until those angle-brackets interfered.

By minimalist (not verified) on 23 Apr 2011 #permalink

"...kinda looks like..." ... "...real science..."

Yeah, not fake science like evolution. "When you were an embryo, you went through a stage where you kinda looked like a porpoise. Ergo, your anncestors and dolphins' anncestors are the same. Evolution fact, baby. Just like gravity. Gotcha." (Fade out with biologist patting himself on back, as he runs to Jiffy Lube to have his blinker fluid topped off).

At least the pope strikes back. Should be fun after the science bloggers get back from their weekend of backing up their hard drives.

By William Wallace (not verified) on 23 Apr 2011 #permalink

"It is impossible to believe that random chance could have produced a globe-spanning cult of child molesters."

- Pope Creepo XXI, world authority on nothing

By minimalist (not verified) on 24 Apr 2011 #permalink

In order to correct Willy, one would first need to take him through the very basic Biology 101 classes and then work their way up. I don't really have the desire, atm. Anyone who does is welcome to it.

By Poodle Stomper (not verified) on 24 Apr 2011 #permalink

In order to correct Willy, he would first have to be willing to learn. Even if someone out there has the desire, take my advice: don't waste your time.

You have failed to identify the biggest problem. In order to correct me, you'd first have to be correct. Given the fact that "stupid" is one of the biggest words in a science blogger's vocabulary, it doesnât, "like", look promising.

"Do ya kinda git it?"

By William Wallace (not verified) on 24 Apr 2011 #permalink

Given the fact that "stupid" is one of the biggest words in a science blogger's vocabulary,

Only with regard to trolls.
"Do ya kinda git it?"

Why are people storing that kind of information on their laptops in the first place? I work in health insurance IT, and my work in progress is stored on a share drive on the workplace server; I can log in to that server from home.

Seriously, I don't get it. Then again, a hospital employee here in Massachusetts left folders containing patient information on the T, so I'm just going with "people don't think these things through".

By OleanderTea (not verified) on 07 May 2011 #permalink

Wow, can't believe I missed this one.

My full-time job is as a security guy for a major research University. A few years ago I interviewed for a CISO position at one of our affiliates.

I was actually asked about whether I would allow scientists to bring sensitive data out of the office on laptops. I emphatically stated no, as I mentioned that in my experience they were much more likely to lose it than actually do anything useful with it. If they want to work, they can come into the office. It's why it was built, after all.

Needless to say, I didn't get the gig.

So, what needs to change is that the security guys need to be able to tell the researchers what to do and not the other way around. Until then this is going to keep happening.