Untitled Document

Warning: In Five Seconds, This PC Will Self-Destruct Start-Ups Sell Technology to Remotely Zap Data

By VAUHINI VARA THE WALL STREET JOURNAL ONLINE
June 23, 2005

Companies looking to protect sensitive data on stolen gadgets are taking a page from Hollywood, with hard drives that destroy themselves when picked up by a thief, software that remotely zaps documents from a desktop computer and technology that scrubs clean handheld devices when the wrong password is entered too many times.

The tools are attracting customers from Wall Street to Washington, D.C., who are willing to go to significant lengths to avoid data theft -- and the negative publicity that comes with it -- as new laws compel companies to more fully disclose breaches. "Those types of regulation are really driving corporations to say, 'What can I do to make sure I am in compliance?'" says Ben Haidri, vice president of business development and marketing at Absolute Software Corp., whose software includes a feature that remotely deletes private data.

Absolute Software asks users of its Computrace software to call a hotline to report a lost or stolen PC. If the customer is worried that sensitive data could get into the wrong hands, he can ask Absolute to wipe those files the next time the computer connects to the Internet. The wiping process involves overwriting all of the computer's data with random information several times, rendering the data unrecoverable. The process usually takes less than 10 minutes, Mr. Haidri says, but can last up to half an hour, depending on the amount of data to be removed. The Vancouver company says about 400,000 people -- including employees of 3,000 businesses -- use the software, which sells for about $100 per user for a three-year contract.

For customers who worry that a wily thief might stay away from the Internet, Absolute offers extra safeguards, like the option to delete files if a user fails to enter the correct password on a PC. Meanwhile, closely held Beachhead Solutions Inc. automatically deletes files or shuts down a PC making it inaccessible, unless users enter a password on a regular basis -- say, every three days or once a week -- or if a password is entered incorrectly too many times. The PC can be unlocked by a company's computer administrator.

Some experts warn that such technology isn't a security cure-all. For instance, blasting private data from lost or stolen PCs won't protect companies from theft by disgruntled employees looking for payback. Others say the tools could make it too easy for information to be accidentally removed: "I can see a situation where, if the controls are too stringent, one executive is going to get his laptop hosed because he's been in Malaysia for three weeks inspecting factories," says Andrew Jaquith, a security analyst at the Yankee Group, a technology research firm in Boston. "It takes one mistake to make a piece of software like this very unattractive."

Others ask, what happens when an absent-minded employee simply forgets his password? "I have had mornings where I couldn't remember one of my 13 or 14 passwords -- and I've tried several times," said Stephen Northcutt, a researcher at the SANS Institute, a computer-security research and training organization in Bethesda, Md.

Larry St. Regis, information services manager at Heritage Bank of Commerce in San Jose, Calif., first saw Beachhead's software demonstrated earlier this year at a computer-security conference in San Francisco. "I thought it was outstanding," he said. His small bank equipped 35 desktop and notebook computers with the software, which overwrites selected files when a PC has been unplugged from the bank's network for an extended period, or when it accesses the Internet at a suspicious time, such as when an employee is on vacation. So far, the bank hasn't lost any computers equipped with the software.

Ensconce Data Technologies Inc., a two-year-old company in Portsmouth, N.H., is developing an approach even more reminiscent of James Bond: It hides a chemical mist in a pocket in a special hard drive. If a warning signal is tripped -- say, if a vandal tampers with the computer, or a built-in global-positioning system detects that it has been moved too far from its normal location -- the mist wafts over the hard drive, destroying it layer by layer. "Absolutely everything is gone," says President Jack Thorsen.

Mr. Thorsen declines to disclose details about the chemical used to destroy the drive, except to say that it is no more toxic than "anything you'd find under your sink."

"I wouldn't put my hand in a vat of it, but it's fairly benign," he says.

The hard drive is shock resistant, so dropping the computer won't accidentally trigger the destruction. Because the mist is housed within the hard drive, it also won't damage the rest of the computer. Ensconce aims to start selling the hard drives to military and business customers early next year for $2,500 to $9,000 each.

The market for technology to remotely delete data is still small, analysts say, and as recently as last year, it barely existed. Companies have largely relied on software that encrypts sensitive information so that it can't be read by unauthorized users. But over the past several months, a spate of high-profile thefts has put focus on products that go further in protecting data. Those behind the technology are focusing on customers like banks, military contractors and others most likely to pay a premium to protect data.

"There are customers with very high-value assets that need to be protected, and these solutions are going to help protect that information," says Mr. Jaquith, the Yankee Group analyst.

Among the high-profile tales of theft reported in recent months, a laptop containing social security numbers of MCI Inc. employees was lifted from a car parked in an MCI financial analyst's garage, a laptop with travel account information for Justice Department employees was swiped from a travel agency and two computers with Social Security numbers of Motorola Inc. workers were stolen from the company's human resources firm. Security experts still talk about an incident that took place five years ago, when the personal laptop of Qualcomm Inc.'s chief executive was nabbed from a conference podium. The laptop, which contained confidential corporate information, was never recovered.

"If a user doesn't do a good job of protecting his password, or leaves his security token near his laptop, you might as well not have any security," says Jim Obot, chief executive of Santa Clara, Calif.-based Beachhead Solutions. "The idea of eliminating data is the ultimate form of security." The company says it has about 15 corporate customers, who pay up to $129 a year for each computer using its software.

Still, at least one company is holding back from enabling the self-destruct feature of its security software. PepsiAmericas Inc. -- the soft-drink bottler that is part-owned by PepsiCo Inc. -- recently started passing out handheld devices to members of its sales force to take orders, check stock and send messages back and forth.

The company installed software from McLean, Va.-based Trust Digital to automatically lock the handhelds when an incorrect password has been entered too many times, barring impostors from accessing them. But Laszlo Kovari, an information-technology and security manager at PepsiAmericas, said his department stopped short of turning on the software's "self-destruct" feature. They worried that the sales people could inadvertently erase important data. Write to Vauhini Vara at vauhini.vara@wsj.com