Should You Handcuff Your Laptop To Your Wrist?
What do you say to a client when one of your associates leaves a laptop containing the client’s confidential data in the seat pocket of an airplane? What if your rental car is burglarized and the laptop stolen from the back seat? Or if the rude stranger pushing past you in the ticket line at Grand Central scoops your laptop bag off the floor and disappears?
Over the past two years we’ve seen more and more incidents where laptop loss has resulted in a loss of sensitive data. Data about employees patients clients and consumers has gone astray. The organizations whose security was breached have included financial companies educational institutions audit firms government agencies and professional services firms. The Gartner Group counted 15 million victims in 2006; other studies show that laptops account for up to 45% of incidents.[1]
IT departments focus much of their energy on network security. Network authentication firewalls and intrusion protection systems and various surveillance and early warning tools work 24/7 to defend a company’s network from attack and protect its confidential data. But once that data moves to a laptop it may be fair game for those seeking the easily marketable names addresses social security numbers and financial information that fuel identity theft.
In your practice you may need to take data files to clients’ offices. You may travel across the country for meetings depositions or trials. If you’re like many professionals you may need to take files home over the weekend or even on vacation with you to keep engagements on track. What should you do to protect sensitive data?
All client data is valuable and confidential and needs to be secured. Assess the level of risk when you decide which of the following security methods to choose for specific information and when you develop your policy. For example personal identity information which includes client social security numbers may warrant a higher level of security than client files which are already public record in a litigation matter.
Common sense
Minimizing risk – and your firm’s embarrassment and potential liability – begins with common sense. When your firm used only paper files did you leave them on the table at a restaurant? Did you even leave them in the trunk of your car? You probably had a policy – or at least an understanding – that this confidential data shouldn’t leave your sight.
The same should apply to data on a laptop. Don’t leave your laptop unattended whether in an office a restaurant or in your car and don’t check it with your luggage. Consider packing it in an ordinary-looking briefcase not a laptop bag. And don’t put your laptop on the floor when checking in for your flight or in other crowded locations like train stations.
Depending on your practice and the type of clients you serve you’ll probably need to take additional steps to protect your data.
Policies
The next level of security is the establishment and enforcement of data management policies. Kaufman Rossin.’s policy for example is that no data files are kept on hard drives. If files are taken on a laptop to a client site the files are copied to a single laptop that never leaves the employee’s possession. When returning to the office the file is moved back to the network and the laptop copy is destroyed.
But if you travel often with confidential data you’ll want more security.
Passwords
Passwords are the next step. The passwords we use every day provide only a minimal level of security. Most passwords chosen by users can be easily guessed and they’re often written down and shared with others. Smart hackers can figure out passwords with relative ease. Kaufman Rossin’s password policy prohibits sharing of passwords and requires employees to change their passwords every three months to use six characters that include both letters and numbers and not to reuse old passwords. These requirements are intended to make passwords more difficult for hackers to guess.
But a thief can also remove the hard drive from a laptop and access the data from another computer without the password.
Hard drive passwords
Most laptops support a hard drive password. With this type of password if you remove the hard drive you can’t just install it in another computer and access the data. Currently this will stop most thieves from getting to your sensitive data. Our firm uses hard drive passwords for all of our laptops and to make these passwords more difficult to hack we assign them randomly rather than letting employees choose them. But new tools are appearing on the market daily to circumvent security measures including at least one which claims to break the hard drive password.
Encryption
Data encryption is the next step. If you handle sensitive data like identity information consider encryption. There are several levels. The Windows Encrypting File System is a basic file/folder encryption tool. The problem with this level of encryption is that it relies on the user to save sensitive data into the right (encrypted) locations. Full disk encryption seems like a logical solution but it also has issues. Encrypting an entire disk takes a significant amount of time performance may be slowed by the ongoing encryption of every file as you work and the programs may interfere with other processes.
Tracking Tools
Recently popular are tracking services designed to locate and recover stolen laptops. The idea is that when someone steals your laptop once he connects to the Internet the tool will detect his location and begin deleting files from the hard drive. Skeptics might say that if someone is seeking to steal your sensitive client data he or she is sharp enough to avoid connecting your laptop directly to the Internet to do so.
Identity theft is a continuing issue and laptops seem to be a target. There is no security measure that provides 100% protection of sensitive data stored on a laptop. But developing policies and implementing tactics appropriate to the sensitivity of your data will minimize the risk to your firm and your clients. This isn’t just a good idea – it should be a priority.
”