New England Biz Law Update
Another day, another story of stolen laptops filled with personal information.
The spate of thefts began in May 2005 with the laptop of a Justice Department employee which contained the information of 80,000 fellow department employees.
This was followed in May 2006, when a data analyst at the federal Veteran’s Administration had his laptop stolen from his home, resulting in the theft of personally identifiable information of 26.5 million veterans and their spouses.
And this summer, the credit bureau Equifax announced that an employee traveling in England had a laptop stolen that contained thousands of names and Social Security numbers.
“Frankly, I’m surprised these problems didn’t happen sooner,” said Jennifer Berman, managing director for CBIZ HR advisory and training security group in Chicago, which provides HR consulting services. “All this mobility – laptops, Blackberrys, etc – comes with a price.”
Since February 2005, the data records of 88 million U.S. residents have been exposed by security breaches, according to the Privacy Rights Clearinghouse, a consumer advocacy organization in San Diego, Calif.
“If a company or government laptop contains personal data, like a name and a Social Security number, or credit account information, there is a huge danger of identify theft,” explained Beth Givens, director of the Privacy Rights Clearinghouse. “A thief can commit new account fraud – using the personal data to open new accounts – or existing account fraud, where they deplete any existing accounts someone might have.”
Either way, the company in possession of the information loses, with negative publicity, costly security repairs and possible legal action against it.
In response, employers are beginning to crack down on mobile technology security, with stricter policies, more training and real enforcement.
What to do
While legal liability for security breaches is still limited, employers are nonetheless responding to the threat.
“At a minimum, the laptop should be password protected so a casual visitor can’t get in with ease,” advised Peter Swire, a professor at the Ohio State University’s Moritz College of Law who focuses on privacy and cybersecurity.
The next step, he said, “is to have encryption of data at rest in the laptop, which should happen much more often that it does currently.”
Encryption may affect the performance of certain programs on a laptop or slow down functions, but it is an employer’s best tool for data protection.
“Encryption is very effective and inexpensive, and for most employers it’s a feasible option,” Swire said.
Vincent I. Polley, a partner at Dickinson Wright in Bloomfield Hills, Mich. who specializes in business technology and security law, cautioned that employers shouldn’t overreact to the current publicity about security breaches.
“There are some employers who are moving toward centralized monitoring and surveillance, who are using dedicated employees to read e-mails and watch where em ployees go on the web,” he noted. “But the smart companies are utilizing flexible policies that allow employees to remain autonomous.”
Below are some tips for increasing laptop security and minimizing risk, while still allowing employees to utilize mobile technology.
Have a clear security policy.
First and foremost, all companies need to have clear policies in place dictating the boundaries of employee laptop use.
“Any mobile technology equipment needs to have its own policy – Blackberrys, laptops, you name it,” Berman said. “And the policy needs to have clear ramifications in place so that employees know what the penalties would be for failing to properly abide by [it].”
Employers need to enforce the policy and be prepared to discipline or even fire someone who violates it, Berman added. In the VA laptop case, the employee who took the computer home had violated policy by failing to complete a security review. He (as well as a superior) was placed on administrative leave.
Training and reinforcement.
“You can’t just hand someone a policy when he starts work, have him sign it and walk away,” Berman said. Employees must be made aware of the policy regarding laptop usage, and be trained even in things that may seem logical – such as not leaving a laptop in an airport while you go to the restroom.
Berman analogized to anti-harassment training. “Most of this stuff is common sense,” she said. “But employees need to be made aware that they can hurt the company and potentially harm their own careers as well.”
Polley, a member of the ABA Standing Committee of Law and National Security, noted that a one-hour class with an IT person may not deliver the message that the company is truly concerned about security.
“If security is important to organization, then management has to show that it’s important,” he said. “This is an issue not just for the IT department, but for the chairman and CEO to talk about and model correct behavior to demonstrate its importance.”
In addition, Berman suggested sending regular reminders to remind people about specific practices, such as changing passwords, for example.
Limiting access.
Some companies are disabling USB connections to limit employees’ ability to use accessories or blocking certain types of programs that can make computers easier targets. Others dictate what level of access a given employee has to certain information or levels of the network, and require multiple levels of authentication in addition to mere access to the laptop itself.
“If an employee is allowed to work remotely with confidential information or to access the network, he or she shouldn’t be given unlimited access,” Berman emphasized. “Even if he can get into the network, he shouldn’t be able to get to every single thing.”
Log off and shut down.
A new trend is theft that occurs in the office itself. Cleaning crews using thumb drives can download an entire hard drive in a matter of minutes if a computer is left logged on to the system.
“You should also have all computers set to log out of the system after a set period of inactive use,” Berman noted, and require a password to log back in.
Employers’ liability is limited (so far)
The first security breach story broke in February 2005, when ChoicePoint, a consumer data broker, reported that the personal information of 145,000 consumers stolen in a fraudulent data access by identity thieves.
In the wake of that scandal, 22 states responded by passing legislation mimicking California’s S.B. 1386, which mandates consumer notification of security breaches.
This year ten more states – Arizona, Colorado, Hawaii, Idaho, Indiana, Kansas, Maine, Nebraska, Utah and Wisconsin – adopted notification statutes, and an additional 18 have proposed legislation pending.
While the statutes vary from state to state, they generally require a company to inform its customers if personal information (typically defined as a name and another identifying characteristic) is released.
In addition to notification, some companies, like Providence Healthcare in Oregon (which had a security breach of the personal information of 365,000 patients in December 2005), are now offering a year of free credit monitoring for victims of a security breach.
So far, none of the new laws hold companies liable for breaches, and private suits alleging negligence against companies who experienced a security breach have been unsuccessful.
