Play it safe: keep your data from prying eyes.You've seen the identity theft ads on television that feature people boasting about what they've bought using someone else's credit card and identification. There's the attractive woman who sounds like a computer geek (jargon) computer geek - (Or "turbo nerd", "turbo geek") One who eats (computer) bugs for a living. One who fulfils all the dreariest negative stereotypes about hackers: an asocial, malodourous, pasty-faced monomaniac with all the personality of a cheese grater. itching to buy a 45-inch plasma TV A flat panel TV that uses the plasma display technology. See flat panel TV, plasma display and LCD vs. plasma. , and the disheveled man who sounds like a teenager and talks of buying clothes. Funny ads, yes. But they point to the serious issue of keeping personal information private and secure. In the past, this sort of credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. occurred when individuals improperly handled credit card slips and other personal information. Fortunately, most firms now make a habit of shredding documents they no longer need. And simply throwing documents, unshredded, into a dumpster isn't a safe security measure because the practice of "dumpster diving dumpster diving - /dump'-ster di:'-ving/ 1. The practice of sifting refuse from an office or technical installation to extract confidential data, especially security-compromising information ("dumpster" is an Americanism for what is elsewhere called a "skip"). " has been used in business parks for years to obtain personal and confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead . SB 1386 California lawmakers stepped into the identity theft prevention arena after a hacker broke into a state computer server that housed payroll and other employee records and personal information. For approximately 45 days, state employees were not informed that their information was at risk. As a result, then-California Sen. Steve Peace introduced SB 1386 to remedy the notification issue, and the resulting law took effect July 1, 2003. The law states that if two parts of information about a California resident that could be used for identity theft are reasonably believed to have been acquired by an unauthorized person, you must notify the affected party unless you have been instructed not to do so by authorities during an active investigation. Protected sensitive data includes a person's name and one or more of the following: Social Security number; driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something number; California ID number; credit card number; or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. number in combination with the password code. Think of the information residing in the computers at your office--or on laptop computers. Do you have files with names of clients, Social Security numbers, driver's license numbers or other information that could be used to steal their identity? Of course. [ILLUSTRATION OMITTED] Do you send information to vendors or banks via e-mail? Probably. All such practices present opportunities for hackers to steal information--and if this happens, you must notify your clients, which can cost you money in terms of time and effort to make these notifications. But by taking the right steps, you can keep the information safe. ENCRYPTION Similar to your policies regarding document shredding, you should inform and educate your employees on the handling of the data: Where is it being stored? Where and to whom has it been sent? Beyond that, you must encrypt the information. Laptops, which are the easiest devices to steal, are the easiest to bring into compliance. Using software such as a PGP (Pretty Good Privacy) A data encryption program from PGP Corporation, Palo Alto, CA (www.pgp.com). Published as freeware in 1991 and widely used around the world for encrypting e-mail messages and securing files, PGP is available for commercial use and as freeware for drive (www.pgp.com), you can mount an encrypted drive space and store client data inside the mounted hard drive--all without a major financial investment. Some of this software can run as low as $50. A small price to pay for peace of mind. Also ensure that no one sends out information that contains identify theft information via e-mail unless it is encrypted. Either set up digital certificates in your e-mail system (see your e-mail program Software in the user's computer that can access the mail servers in a local or remote network. Also known as an "e-mail client," "mail client," "mail program," and "mail reader," it provides the ability to send and receive e-mail messages and file attachments. for details) or consider a third-party program, such as Hypersend.com, to send e-mails to clients or banks using encryption. But the situation gets a little trickier if you store your information on a file server. None of the tax preparation software vendors I have contacted have been willing to state that they support using either PGP encryption or the built-in Windows 2000 or 2003 Encrypted file system. While some of the tax preparation programs do allow the use of user names and passwords, the fact that the data is not encrypted makes it vulnerable. Think of the years of tax preparation data on your servers and the affected clients. How can we minimize this risk until vendors include encryption as part of their software? We need to ensure that other security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are in place and are being monitored. SOFTWARE PATCHES A rigorous schedule of computer protection should be followed to ensure--and document--that you are performing due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. in protecting that data. Ensure that you are on operating systems that you patch for software updates and consider either configuring an auto-update feature or invest in patch management software, such as Shavlik's Hfnetchk or St. Bernard's UpdateExpert. If you are running Windows 98 or Windows ME, security patches for these operating systems are not disclosed and you must make a free phone call to Microsoft to obtain them. To obtain this patch, call (800) 936-4900, choose option 3 and ask for hotfix for Windows 98 and Windows ME for KB 828028E. OTHER STEPS Next, ensure that your network and any standalone computers and laptops have firewalls to block those ports and allow you to open only those ports necessary for your business work. Any computer, file servers, standalone computers, laptops--even the computers that your employees use at home--should have a firewall. If a computer can get out to the Internet, even on a slow dial-up connection, it needs firewall software to provide the barrier you need--at a minimum--to ensure that your data is safe. Install antivirus software on all computers and make sure that the auto update is configured to regularly bring down virus "dat" files. While many computers come with antivirus, it typically expires after 90 days. Do not allow any peer-to-peer music file swapping See peer-to-peer network. software inside your network. Ensure that laptops do not have "file and printer sharing An operational state in a computer that lets other users in the network copy files and use the printer. See file sharing. " enabled under network connections. To see if this is enabled, click on Start, Control Panel and then on Network Connections. Select the network or modem device and ensure that file and printer sharing is not checked. You may want to visit Microsoft's Security Protect site at www.microsoft.com/security/protect and follow the steps listed or order the security CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). to assist you in patching and protecting your system. CONSULTANTS If your needs are greater than you can handle, consider hiring a consultant to perform a security audit of your organization. This comes with a greater financial cost, but it's a small price to pay if you consider what will happen if your client information is compromised. Computers allow us to perform many tasks easier and more accurately. But they need regular maintenance and care to be operated in a safe and secure manner. Make sure you get this maintenance to keep your--and your clients'--identities secure. {FOR MORE INFORMATION} Details about securing your computers and notifying clients of possible data theft can be found at www.privacy.ca.gov/business/bph1.28.04.pdf and www.privacy.ca.gov/recommendations/secbreach.pdf. If you believe an intrusion has occurred, there are various high-tech crime units throughout the state you can contact, depending on your location: San Diego--Computer and Technology Crime High Tech Response Team (www.catchteam.org) Northern California (Napa)--Northern California Computer Crimes Task Force (www.nc3tt.org) San Jose--San Jose High Technology Crime Detail (www.sjpd.org/hitech.html) Sacramento--Sacramento Valley Hi-Tech Crimes Task Force (www.sachitechcops.org) Los Angeles--High Technology Crimes Unit of Los Angeles County (http://da.co.la.ca.us/cpd/idtheft.htm) by Susan Bradley, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. Susan Bradley, CPA, CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. , MCP (1) See Microsoft certification. (2) (MultiChip Package) A chip package that contains two or more chips. It is essentially a multichip module (MCM) that uses a laminated, printed-circuit-board-like substrate (MCM-L) rather than ceramic (MCM-C). , GSEC GSEC GIAC Security Essentials Certification (computer security certification designation) GSEC Geophysical Survey and Exploration Contract GSEC Generalized Switch-And-Examine Combining is a partner with Tamiyasu, Smith, Horn & Braun in Fresno. You can reach her at sbradley@tshb.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion