Line of defense: simple, complex security measures help prevent lost and stolen laptops.Did you read about the U.S. Department of Veteran Affairs employee who lost a laptop that contained personal information of some 26 million veterans? Or how about the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). employee who lost a laptop that contained Social Security numbers, and other personal information, of many AICPA members? And then there was the auditor whose laptop, which contained more than 500 Social Security numbers of current and former employees of a large law firm's pension plan, was stolen. CPAs used to secure data in their offices or locked in briefcases. Today, however, with the ease of accessing and storing sensitive information on laptops, CPAs need to reconsider how they keep client information confidential and secure. How Do I Secure My Laptop? Because of their portability, laptops pose a great opportunity to work from anywhere. But with that opportunity comes risk, and the loss incurred when a laptop is lost or stolen is generally much greater than simply replacing the hardware. There may be extensive effort and cost in reconstructing lost data, not to mention the costs to take corrective measures relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc the theft of sensitive information. A primary step toward protecting client data is to adopt some general standards that make sense for the firm. While one size does not fit all, some effective controls that enhance data security can be implemented, regardless of firm size or complexity. Such standards, which should be put in writing and communicated to employees regularly, should address the type of information that's stored on laptops. For one firm, it may be acceptable to store client files, but for other firms, the decision may depend on the type of client, the sensitivity of the information and control measures already in place. With regard to private or sensitive information, the best--and obvious--solution is not loading it on a laptop unless absolutely necessary to perform the work. If it is necessary, put security controls in place before loading any files. For example, consider having the client redact To edit sensitive documents before release to the public. With today's heightened awareness of the legal implications of exposing information, it is common to redact even e-mail messages before sending them. sensitive components of the information if they are not needed for your scope of work. Also consider password protecting files on spreadsheets to prevent unauthorized access. Another way to mitigate risk is to think carefully about where and when to bring a laptop. After all, the best way to avoid theft or loss is to eliminate the possibility. For example, it may be possible to leave your laptop behind if, while traveling, you only need to check e-mail and have access to a computer facility, such as a hotel business center. Or, if you are temporarily working at an off-site branch office, consider using a computer at that location to eliminate the risk of theft. Reasonable laptop security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security also should include keeping account of the device at all times. At work or while traveling, always assume physical controls are at their lowest level. Laptops are more likely to find their way into the hands of thieves than to merely get lost or misplaced mis·place tr.v. mis·placed, mis·plac·ing, mis·plac·es 1. a. To put into a wrong place: misplace punctuation in a sentence. b. and a thief only needs a few seconds to take advantage of inattention in·at·ten·tion n. Lack of attention, notice, or regard. Noun 1. inattention - lack of attention basic cognitive process - cognitive processes involved in obtaining and storing knowledge . Cable lock kits are an inexpensive solution to this problem. If a locking mechanism is not available, keep the laptop from plain sight when unattended. Theft of laptops also may occur in the office, so using a locking mechanism on your own desk is a good control. [ILLUSTRATION OMITTED] Peripheral storage devices, such as USB Flash drives See USB drive. , have the capability of being transported easily and can help keep data secure since they can be removed from the computer and securely stored elsewhere by the user. Diskettes and CDs have similar benefits. But it's important to note that the incorrect use of these devices may lead to a control weakness. If you lock up the laptop but leave the USB drive A flash memory card that plugs into the computer's USB port. Small enough to hook onto a keychain, it emulates a small disk drive and allows data to be easily transferred from one machine to another. accessible, for example, thieves can easily unplug and steal information without having to steal the laptop itself. To stop unauthorized users from inserting a disk and transferring a virus, it may be necessary to secure the disk drive with a Universal Drive Lock, which locks up external and internal drives. In addition to physical controls, passwords should be used at all times. A few simple options include: * Screensaver passwords: These automatically kick in when the computer is unattended for a specified period of time. To work on the computer again, the user will need a password. * Log-on passwords: This password engages the user prior to starting any programs. * Password-protected files: These can be used to protect spreadsheets, for example, from unauthorized access. Advanced Security Other safeguards, such as security chips, fingerprint fingerprint, an impression of the underside of the end of a finger or thumb, used for identification because the arrangement of ridges in any fingerprint is thought to be unique and permanent with each person (no two persons having the same prints have ever been scanners, self-destructing hard drives, smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. and encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. are more complex controls. Security Chips Security chips can be used to disable To turn off; deactivate. See disabled. a laptop in the event an unauthorized user tries to gain access, while also sending out an audio distress signal. Global positioning system Global Positioning System: see navigation satellite. Global Positioning System (GPS) Precise satellite-based navigation and location system originally developed for U.S. military use. technology can then be used to determine the laptop's location. The same set-up can be used to encrypt See encryption. or destroy sensitive data stored on a stolen laptop. However, to be effective, this technology needs to work in concert with other practical control measures, such as keeping track of laptops and implementing password protection. For example, there may be an extended period of time between when the laptop was stolen and when the theft was discovered. This period may be long enough for data to be extracted and result in a situation in which the control measure did not meet the risk exposure for which it was designed. Self-destructing hard drives have similar attributes. Fingerprint Scanners This biometric control uses a fingerprint instead of, or in addition to, a password to gain access. This is costly technology, so firms will need to assess the cost and effectiveness, specifically in terms of type of work conducted, sensitivity of information and associated risks. Encryption Encryption codes and scrambles information, making it unreadable to unauthorized users and ensures data can only be viewed by intended parties. To be most effective, encryption must work with other controls. If an unauthorized person has access to encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science files, it means that other controls were not in place or not working to prevent access. The unauthorized access may still result in damage, regardless if the user has the ability to get the information on the files. When working with encrypted files, CPAs may run into compatibility issues with a client's system, as well as discover an increased need for IT support. Smart Cards Smart card technology offers numerous security advantages to organizations, including using mechanisms to ensure that personal identification number verification and access to computer keys or any stored data are performed securely by authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal . What if I Lose a Laptop? File a police report. Along with affording you the possibility of recovering the laptop, this can help your clients, who can submit the filing report number to credit agencies. Disclose the theft to your potentially affected clients. A CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. has a professional, as well as legal, duty to maintain the confidentiality of client documents, and the potential breach of confidentiality and risk of identity theft should be disclosed. Under the AICPA Professional Standards, "A member in public practice shall not disclose any confidential client information without the specific consent of the client." Disclosure of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead to an unauthorized source, or the exposure of confidential information to an unknown source by means of a lost laptop, may result in the same damage to the client. In either case, the most likely cause of the damage is the absence of due professional care. Also, California Civil Code Sec. 1798.82 requires any person or business that conducts business in California to notify any person who is a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This statute requires disclosure "in the most expedient ex·pe·di·ent adj. 1. Appropriate to a purpose. 2. a. Serving to promote one's interest: was merciful only when mercy was expedient. b. time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." By statute, the disclosure must be in writing and e-mail will suffice. Determine if the laptop contains unencrypted confidential or personal client information. Under the Civil Code, the mandatory disclosure provision applies to unencrypted personal information, which is defined as a Social Security number; driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something number; or an account number, credit or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. number, in combination with any required security code, access code or password that would permit access to an individual's financial account. Regardless of whether or not information contained in the laptop was encrypted, the client should be promptly made aware of precisely what kind of information is stored on the computer. Inform your client on how to take precautions precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. to minimize the losses resulting from identity theft. If the stolen laptop contains unencrypted Social Security numbers, inform your client on how to report the potential loss of confidential information to a credit reporting agency, such as Equifax, Experian or TransUnion. These agencies can monitor your client's credit daily, including sending e-mail notices to the credit reporting agency's database of any changes in your client's credit file within 24 hours of being posted. Credit reporting agencies also can provide a limited amount of identity theft insurance and access to fraud specialists. Provide clients with identity theft protection information. Contact information for such agencies includes: * California Office of Privacy Protection, www.privacy.ca.gov or (866) 785-9663 * Federal Trade Commission, www.consumer.gov/IDtheft/or (877) 438-4338 Evaluate additional steps to protect the client's information. This may include determining whether or not the CPA needs to deploy additional processes and controls on laptops or computer networks to protect against future inadvertent disclosure. A Few Final Tips A lost or stolen laptop can damage businesses, reputations and lives. CPAs must be vigilant in taking the necessary precautions to protect client information. These guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. can serve as a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the to securing laptops and what to do in the event of a loss or theft: 1. Adopt sound data and hardware policies for the firm; 2. Determine safeguards needed for traveling with a laptop; 3. Assume physical controls are at a minimum and take preventive measures; 4. Engage easily adaptable controls, such as cable lock kits, to prevent theft; 5. Use access controls, such as passwords, at all times; 6. If practical, use security chips, encryption and biometrics; and 7. Know what to do--and how to advise your clients--if your laptop is stolen. Paul Fife, Esq., is a partner with San Francisco-based Wild, Carey & Fife. You can reach him at PaulFife@WCandF.com. Francis Bueb, CPA, CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. , is a director with Sacramento-based Ueltzen & Company, LLP LLP - Lower Layer Protocol . You can reach him at fbueb@ueltzen.com. BY FRANCIS BUEB, CPA AND PAUL FIFE, Esq. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion