Increase
Decrease
Expand
Collapse
Marketing Articles
Management Articles
Technology Articles
Finance Articles
RSS FeedWhat do you say to a client when one of your associates leaves a laptop containing the client’s confidential data in the seat pocket of an airplane? What if your rental car is burglarized and the laptop is stolen from the back seat? Or if the rude stranger pushing past you in the ticket line at Grand Central scoops your laptop bag off the floor and disappears?
Over the past two years, we’ve seen more and more incidents where laptop loss has resulted in a loss of sensitive data. Data about employees, patients, clients and consumers has gone astray. The organizations whose security was breached have included financial companies, educational institutions, audit firms, government agencies, and professional service firms. The Gartner Group counted 15 million victims in 2006; other studies show that laptops account for up to 45% of incidents.
IT departments focus much of their energy on network security. Network authentication, firewalls, intrusion protection systems, and various surveillance and early warning tools work 24/7 to defend a company’s network from attack and protect its confidential data. But once that data moves to a laptop, it may be fair game for those seeking the easily marketable names, addresses, social security numbers and financial information that fuel identity theft.
In your practice, you may need to take data files to clients’ offices. You may travel across the country for meetings, depositions or trials. If you’re like many professionals, you may need to take files home over the weekend, or even on vacation with you, to keep engagements on track. What should you do to protect sensitive data?
All client data is valuable and confidential and needs to be secured. Assess the level of risk when you decide which of the following security methods to choose for specific information, and when you develop your policy. For example, personal identity information, which includes client social security numbers, may warrant a higher level of security than client files which are already public record in a litigation matter.
Common sense
Minimizing risk, and your firm’s embarrassment and potential liability, begins with common sense. When your firm used only paper files, did you leave them on the table at a restaurant? Did you even leave them in the trunk of your car? You probably had a policy, or at least an understanding, that this confidential data shouldn’t leave your sight.
The same should apply to data on a laptop. Don’t leave your laptop unattended, whether in an office, a restaurant, or in your car, and don’t check it with your luggage. Consider packing it in an ordinary-looking briefcase, not a laptop bag. And don’t put your laptop on the floor when checking in for your flight, or in other crowded locations like train stations.
Depending on your practice and the type of clients you serve, you’ll probably need to take additional steps to protect your data.
Policies
The next level of security is the establishment and enforcement of data management policies. Kaufman, Rossin & Co.’s policy, for example, is that no data files are kept on hard drives. If files are taken on a laptop to a client site, the files are copied to a single laptop that never leaves the employee’s possession. When returning to the office, the file is moved back to the network and the laptop copy is destroyed.
But if you travel often with confidential data, you’ll want more security.
Passwords
Passwords are the next step. The passwords we use every day provide only a minimal level of security. Most passwords chosen by users can be easily guessed, and they’re often written down and shared with others. Smart hackers can figure out passwords with relative ease. Kaufman, Rossin & Co.’s password policy prohibits sharing of passwords. It requires employees to change their passwords every three months, to use six characters that include both letters and numbers, and not to reuse old passwords. These requirements are intended to make passwords more difficult for hackers to guess.
But a thief can also remove the hard drive from a laptop and access the data from another computer without the password.
Hard drive passwords
Most laptops support a hard drive password. With this type of password, if you remove the hard drive you can’t just install it in another computer and access the data. Currently, this will stop most thieves from getting to your sensitive data. Our firm uses hard drive passwords for all of our laptops and, to make these passwords more difficult to hack, we assign them randomly rather than letting employees choose them. But new tools are appearing on the market daily to circumvent security measures, including at least one that claims to break the hard drive password.
Encryption
Data encryption is the next step. If you handle sensitive data, like identity information, consider encryption. There are several levels. The Windows Encrypting File System is a basic file/folder encryption tool. The problem with this level of encryption is that it relies on the user to save sensitive data into the right (encrypted) locations. Full disk encryption seems like a logical solution, but it also has issues. Encrypting an entire disk takes a significant amount of time, performance may be slowed by the ongoing encryption of every file as you work, and the programs may interfere with other processes.
Tracking Tools
Recently popular are tracking services designed to locate and recover stolen laptops. The idea is that when someone steals your laptop, once he connects to the Internet the tool will detect his location and begin deleting files from the hard drive. Skeptics might say that if someone is seeking to steal your sensitive client data, he or she is sharp enough to avoid connecting your laptop directly to the Internet to do so.
Identity theft is a continuing issue, and laptops seem to be a target. There is no security measure that provides 100% protection of sensitive data stored on a laptop. But developing policies and implementing tactics appropriate to the sensitivity of your data will minimize the risk to your firm and your clients. This isn’t just a good idea – it should be a priority.
Identity Theft Resource Center, http://www.idtheftcenter.org