Once again, a recent piece of news hit the headlines with another laptop mishap: an unnamed contractor is being blamed for a data breach at Gap that has compromised the data of about 800 000 people who applied for jobs with the US clothing retailer.

Gap said the data had been stored on two laptop computers that were stolen from the contractor's offices. The laptops had information on people who applied for positions at Gap stores, including Banana Republic and Old Navy, between July 2006 and June 2007. This information was supposed to be encrypted but it was not.

The response to the incident, from a PR point of view, has been quick; GAP has set up a Web site to assist those who may have been affected by the breach. Victims are being offered one year of credit monitoring and fraud resolution assistance.

The main conclusion of this ever-growing type of incident is that boundaries of my security perimeter spread the moment I outsource any business functions, (e.g, data processing). Consequently, my security strategy needs to follow suit and be really effective. Otherwise my customers will always claim against my company, no matter which other companies are really involved in the process. Another reason to demand, legally and technically speaking, more safeguards to our outsourcers.

Another conclusion is the convergence between logical and physical security. Which responsible is to blame in this case? The answer is both. Any internal laptop or outsourcers' need to safeguard its information (by encryption and synchronization with central systems prone to be backed up) and physical security should control and register any media coming in or going out of our company.

We'll see many more of these incidentes, for sure.

• del.icio.us
• Digg
• Technorati
• Meneame