Line of defense: simple, complex security measures help prevent lost and stolen laptops.
CPAs used to secure data in their offices or locked in briefcases. Today, however, with the ease of accessing and storing sensitive information on laptops, CPAs need to reconsider how they keep client information confidential and secure.
How Do I Secure My Laptop?
Because of their portability, laptops pose a great opportunity to work from anywhere. But with that opportunity comes risk, and the loss incurred when a laptop is lost or stolen is generally much greater than simply replacing the hardware.
There may be extensive effort and cost in reconstructing lost data, not to mention the costs to take corrective measures relating to the theft of sensitive information.
A primary step toward protecting client data is to adopt some general standards that make sense for the firm. While one size does not fit all, some effective controls that enhance data security can be implemented, regardless of firm size or complexity.
Such standards, which should be put in writing and communicated to employees regularly, should address the type of information that's stored on laptops. For one firm, it may be acceptable to store client files, but for other firms, the decision may depend on the type of client, the sensitivity of the information and control measures already in place.
With regard to private or sensitive information, the best--and obvious--solution is not loading it on a laptop unless absolutely necessary to perform the work. If it is necessary, put security controls in place before loading any files.
For example, consider having the client redact sensitive components of the information if they are not needed for your scope of work. Also consider password protecting files on spreadsheets to prevent unauthorized access.
Another way to mitigate risk is to think carefully about where and when to bring a laptop. After all, the best way to avoid theft or loss is to eliminate the possibility.
For example, it may be possible to leave your laptop behind if, while traveling, you only need to check e-mail and have access to a computer facility, such as a hotel business center. Or, if you are temporarily working at an off-site branch office, consider using a computer at that location to eliminate the risk of theft.
Reasonable laptop security measures also should include keeping account of the device at all times. At work or while traveling, always assume physical controls are at their lowest level. Laptops are more likely to find their way into the hands of thieves than to merely get lost or misplaced and a thief only needs a few seconds to take advantage of inattention.
Cable lock kits are an inexpensive solution to this problem. If a locking mechanism is not available, keep the laptop from plain sight when unattended. Theft of laptops also may occur in the office, so using a locking mechanism on your own desk is a good control.
Peripheral storage devices, such as USB Flash drives, have the capability of being transported easily and can help keep data secure since they can be removed from the computer and securely stored elsewhere by the user. Diskettes and CDs have similar benefits. But it's important to note that the incorrect use of these devices may lead to a control weakness. If you lock up the laptop but leave the USB drive accessible, for example, thieves can easily unplug and steal information without having to steal the laptop itself.
To stop unauthorized users from inserting a disk and transferring a virus, it may be necessary to secure the disk drive with a Universal Drive Lock, which locks up external and internal drives.
In addition to physical controls, passwords should be used at all times. A few simple options include:
* Screensaver passwords: These automatically kick in when the computer is unattended for a specified period of time. To work on the computer again, the user will need a password.
* Log-on passwords: This password engages the user prior to starting any programs.
* Password-protected files: These can be used to protect spreadsheets, for example, from unauthorized access.
Other safeguards, such as security chips, fingerprint scanners, self-destructing hard drives, smart cards and encryption are more complex controls.
Security chips can be used to disable a laptop in the event an unauthorized user tries to gain access, while also sending out an audio distress signal. Global positioning system technology can then be used to determine the laptop's location.
The same set-up can be used to encrypt or destroy sensitive data stored on a stolen laptop. However, to be effective, this technology needs to work in concert with other practical control measures, such as keeping track of laptops and implementing password protection.
For example, there may be an extended period of time between when the laptop was stolen and when the theft was discovered. This period may be long enough for data to be extracted and result in a situation in which the control measure did not meet the risk exposure for which it was designed.
Self-destructing hard drives have similar attributes.
This biometric control uses a fingerprint instead of, or in addition to, a password to gain access. This is costly technology, so firms will need to assess the cost and effectiveness, specifically in terms of type of work conducted, sensitivity of information and associated risks.
Encryption codes and scrambles information, making it unreadable to unauthorized users and ensures data can only be viewed by intended parties.
To be most effective, encryption must work with other controls. If an unauthorized person has access to encrypted files, it means that other controls were not in place or not working to prevent access. The unauthorized access may still result in damage, regardless if the user has the ability to get the information on the files.
When working with encrypted files, CPAs may run into compatibility issues with a client's system, as well as discover an increased need for IT support.
Smart card technology offers numerous security advantages to organizations, including using mechanisms to ensure that personal identification number verification and access to computer keys or any stored data are performed securely by authorized users.
What if I Lose a Laptop?
File a police report. Along with affording you the possibility of recovering the laptop, this can help your clients, who can submit the filing report number to credit agencies.
Disclose the theft to your potentially affected clients. A CPA has a professional, as well as legal, duty to maintain the confidentiality of client documents, and the potential breach of confidentiality and risk of identity theft should be disclosed.
Under the AICPA Professional Standards, "A member in public practice shall not disclose any confidential client information without the specific consent of the client." Disclosure of confidential information to an unauthorized source, or the exposure of confidential information to an unknown source by means of a lost laptop, may result in the same damage to the client. In either case, the most likely cause of the damage is the absence of due professional care.
Also, California Civil Code Sec. 1798.82 requires any person or business that conducts business in California to notify any person who is a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
This statute requires disclosure "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." By statute, the disclosure must be in writing and e-mail will suffice.
Determine if the laptop contains unencrypted confidential or personal client information. Under the Civil Code, the mandatory disclosure provision applies to unencrypted personal information, which is defined as a Social Security number; driver's license number; or an account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
Regardless of whether or not information contained in the laptop was encrypted, the client should be promptly made aware of precisely what kind of information is stored on the computer.
Inform your client on how to take precautions to minimize the losses resulting from identity theft. If the stolen laptop contains unencrypted Social Security numbers, inform your client on how to report the potential loss of confidential information to a credit reporting agency, such as Equifax, Experian or TransUnion.
These agencies can monitor your client's credit daily, including sending e-mail notices to the credit reporting agency's database of any changes in your client's credit file within 24 hours of being posted.
Credit reporting agencies also can provide a limited amount of identity theft insurance and access to fraud specialists.
Provide clients with identity theft protection information. Contact information for such agencies includes:
* California Office of Privacy Protection, www.privacy.ca.gov or (866) 785-9663
* Federal Trade Commission, www.consumer.gov/IDtheft/or (877) 438-4338
Evaluate additional steps to protect the client's information. This may include determining whether or not the CPA needs to deploy additional processes and controls on laptops or computer networks to protect against future inadvertent disclosure.
A Few Final Tips
A lost or stolen laptop can damage businesses, reputations and lives. CPAs must be vigilant in taking the necessary precautions to protect client information. These guidelines can serve as a starting point to securing laptops and what to do in the event of a loss or theft:
1. Adopt sound data and hardware policies for the firm;
2. Determine safeguards needed for traveling with a laptop;
3. Assume physical controls are at a minimum and take preventive measures;
4. Engage easily adaptable controls, such as cable lock kits, to prevent theft;
5. Use access controls, such as passwords, at all times;
6. If practical, use security chips, encryption and biometrics; and
7. Know what to do--and how to advise your clients--if your laptop is stolen.
Paul Fife, Esq., is a partner with San Francisco-based Wild, Carey & Fife. You can reach him at PaulFife@WCandF.com.
Francis Bueb, CPA, CITP, is a director with Sacramento-based Ueltzen & Company, LLP. You can reach him at firstname.lastname@example.org.
BY FRANCIS BUEB, CPA AND PAUL FIFE, Esq.
|Printer friendly Cite/link Email Feedback|
|Date:||Nov 1, 2006|
|Previous Article:||Lights camera CPA! CPA Irwin Jacobson talks about breaking the entertainment industry--and the challenges of accounting for it.|
|Next Article:||Get'em early: internships connect students to profession, potential employers.|