May 31, 2006 at 6:00 AM ET
A worker takes home a laptop computer loaded with personal information. The computer is stolen during a burglary, and with it, a hoard of Social Security Numbers are taken, creating tremendous risk for widespread identity theft.
Think you've heard that story? You probably haven't. It happened sometime in May, to customers of Baltimore's Mercantile Bankshares Corp. In that incident, 50,000 consumers had their personal information compromised -- including their Social Security numbers and their account numbers. In this case, the laptop was stolen from a car.
Perhaps you've heard this story? Fidelity Investments had to admit earlier this year that a laptop containing 200,000 identities was stolen from a public location.
You are no doubt familiar with last week's news from the Veterans Administration, which revealed that a computer containing the identities of every living veteran -- and some family members -- was stolen from a house. Now that we've had a week to beat up on the employee who took home all that information, it's time to look beyond this one incident, and that one pour soul who now regrets ever taking work home with him.
He's hardly alone. Millions of Americans take work home every day -- 20 million, according to the Bureau of Labor Statistics, or about 1 in 7 U.S. workers. Each one is a ticking time bomb. Just ask Fidelity or Mercantile Bancshares.
In light of last week's dramatic news from the VA, here's a not-so-modest proposal: Leave the work at work.
During the past 10 years, corporate America has slowly but surely extended the work day way beyond 9-to-5. It has extended the office, too, into home bedrooms and dens across America. The number of people who go home, feed the kids, then log in has skyrocketed from close to zero 10 years ago to two-thirds of "professional" workers, according to the U.S. government.
Perhaps it's not worth it. In the cost-benefit analysis of this creeping work force, computer security has not been taken into account. Recovering from a high-profile data loss is expensive and embarrassing. This is no doubt hyperbole, but instructive hyperbole -- at a congressional hearing last week, the VA discussed the possibility that the ultimate price tag for its lost hard drive would be $100 million. Whatever that employee was doing at home couldn't have been worth that much.
Now is a time to reconsider this extended work day. Given the true costs, would it be better to just let your workers leave the data behind when they leave the office?
Are you better off, soccer moms?
Working at home can give employees additional flexibility. I know there are soccer moms who are allowed to leave work early, drive the kids to the game, and then make up for lost time late at night after the kids are asleep. Perhaps that's an employee benefit.
But companies are getting a lot free labor out of their employees. The Bureau of Labor Statistics says in 2004 (the most recent year for which statistics are available), 10 million people worked extra at home with no arrangements to be paid for the work, and they averaged 7 hours a week. That's almost a full day of free labor.
It's hard to tell a corporation that work isn't worth it -- unless you take into account the unexpected cost of a data disaster.
Of course, preserving this free labor force is a critical priority for corporate America. An entire industry of software has developed to secure after-hours home work. That's why we've all learned terms like VPN (virtual private network) and tunneling. Avivah Litan, a security analyst at research firm Gartner who testified before Congress last week about the VA theft, insists there are safe ways to work at home.
It can be safe, but it's not
Working at home is no more dangerous than giving employees computers with floppy disk drives or USB ports, which can also be used to download data, and simple policies can cut down dramatically on the risk, she said. For example: Personal data should never be removed from company computers unless it's encrypted.
The truth, however, is very few organizations enforce such policies. Why? They don't have to.
"In many situations, there are just no rules out there," she said. In fact, in the VA situation, "No laws appear to have been broken."
Yes, working at home can be safe. But right now, that's utopia; it's not safe, for millions of workers, and millions of identity theft victims. The data isn't secured. It's left in taxicabs, hotel rooms and on park benches. It's stolen from homes and parked cars.
So since we're already living in a utopia, I would like to propose a different utopia: Keep the data safe by leaving it at work. With all apologies to Jonathan Swift, I can't help but wonder if this modest proposal -- work only at work -- doesn't sound as crazy as telling the Irish to eat their young.
I know some workers (such as journalists) really do need to be connected 24 hours a day, seven days a week. But many – and I would guess most – simply log in out of peer pressure.
I was in Ireland not long ago talking to Microsoft employees who often teased their American counterparts over this point. The Americans were frustrated that at 5 p.m. Dublin time (9 a.m. in Seattle) the Irish workers could no longer be found at their cubicles or contacted by e-mail, but instead were lifting a pint at a local pub. In response to accusations of a lack of industriousness, the Irish told me that Americans may spend more hours working on e-mail – in fact, they seem to be doing that all the time – but weren't actually getting very much done. In Ireland, they told me, the focus is work until 5 p.m., and after that, the focus goes elsewhere.
We could learn a thing or two from the Irish work ethic. A company rule saying work stays at work would be a boon to American families. And if you need a business case, it would be a boon for the safety of our data, too.