When Data Goes Missing: Will You Even Know?

Computerworld - Recent reports of company-compiled personal data gone missing (such as Marriott losing many thousands of vacation club records), while clearly important, is really just the tip of the iceberg. What customers really need to ask of companies is, What other data has been lost? And in all likelihood, there is absolutely no way for the companies to know. The truth of the matter is, reported cases of massive data loss are just the ones they know about. And this problem will only grow with the proliferation of tiny personal mass-storage devices of dramatically increasing capacity.
How many people currently own flash memory drives? Tens of millions. And how many companies control the use of flash drives? You can count them on one hand. I travel a lot, and on a recent trek through airport security, I found a flash drive that had fallen under the security table. This lost drive had no distinguishing characteristics -- no labels to tell me who owned it or where he worked. With some time to kill before my flight, I decided to see if I could track down the owner. I had to invade the owner's privacy to see what I could discover from the content of the files. Turns out the files contained fairly innocuous content -- some project plans and a short PowerPoint in draft form -- but no way to identify the owner. (As a result of this experience, I have put a small .txt file on my devices with my name and address, and I figure an address label on the outside can't hurt either.)
Why is this an issue? Well, for starters, the storage capacity of these devices is growing at the "silicon curve" rate. Within the next two to three years, instead of the 500MB or 1GB drives commonly available today, you'll be able to purchase for about the same money a stick-like drive of 10GB or greater capacity. What if an employee decided to download a customer database to one of these devices (say, to transfer the data to another machine) and then proceeded to lose it? Is the data protected from loss? Probably not, even though there are many devices now available that include encryption capability (which is rarely used). And what if a competitor picks it up?

The potential to lose data on portable devices is a massive hole in most companies' security plans. The laws being passed in a number of states that require data loss to be reported to affected consumers work only