Four out of five US companies have lost at least one laptop containing sensitive information over the past year. Indeed only one in 10 companies say there was no sensitive or confidential info on the lost laptop.

But worse still, most companies are ignorant about what's actually on the missing hardware, according to the Confidential Data at Risk study conducted by the Ponemon Institute.

Nearly two out of three (64 per cent) admitted their companies had never conducted a data inventory to determine where employee and customer information was located, and half (49 per cent) admitted that business confidential information has never been inventoried. Questioned how long it would take to determine what kind of sensitive data was on the missing laptop, file server, desktop or mobile device, the most frequent answer was "never".

This is despite organisations claiming that the intellectual property most at risk included electronic spreadsheets, competitive intelligence and source code.



The study suggests that cases like the one where global beancounters Ernst&Young went and lost a laptop containing confidential information of their customers, something I blogged on earlier this year, might be just the tip of the iceberg.

Sure, firms like Gartner offer tips to prevent data leaks.

But an encryption program about as useful as a sixth finger if you don't know what to encrypt.

This is more than just stupid. It's legally irresponsible.

Sarbanes-Oxley requires CEOs and CFOs to attest to their companies having proper internal controls. If the systems maintaining financial data aren't demonstrably secure, then executives would have difficulty vouching for the validity of the data and the soundness of their internal controls.

In other words, data security is not a matter of "best practice". Lawyers would argue it's now a legal requirement.

So four out of five companies are losing laptops, and that they don't even know what's on them? Sounds like they're asking for legal disaster.