Yea!  And maybe, hopefully, none of the identity information was compromised.  (See story.)  What can we learn from this?

First, CA 1386 provides exclusion for data that is encrypted.  That should seem outright obvious to everyone.  ENCRYPT IT!

There is a question whether the employee had permission to have the data at home.  Make sure you have policy to certify this condition.  For instance, if I have permission to work at home, and I have permission to access the data, without further conditions, this presumes I have permission to have the data at home.  If this is not what you want, make sure everyone knows the situation and the permissions required.

There is the question whether the identity information was compromised.  How can we help to determine such a scenario if it happens to us?  First, make sure that the access to the major database produces an *encrypted* data subset.  (Log the access and review the log often.)  This would promote the consideration that such data on the recipient machine should remain encrypted.  Plus, knowing he has a protected copy, any unencrypted version can be erased when not actively being used.  So, the lifespan of unencrypted copies is shorter.  Second, this forces the user/worker to decrypt the information at the time he needs to work with it, causing a new file to be created with the then-current time/date stamp.  This would help forensics. 

This is not a complete solution, because create/delete/create/delete fills up the hard disk with "unused" sectors that would contain the sensitive information.  But that would happen without this process.  So, at least adopt a process that is useful.  And be reminded that the disk needs to be wiped often.

When's the best time to learn and think about all this?  When someone *else* makes the mistake, of course.  Unless your purpose is to get funding.  But do you want to have to spend that much money and face all that bad publicity?