Your laptop is in your computer bag. It’s in the backseat of your car. On it’s hard drive is a file with names, addresses, phone numbers, social security and driver’s license numbers and other basic information gathered to handle cases and perform conflicts checks for your firm. Your database may have, as mine does, thousands of names in it.
A rock is used to break your window. The bag is grabbed and by the time you get back to the car the laptop is long gone.
Once you deal with the getting your car repaired and your computer replaced you may discover that your state requires that you report the security breach to the government. In my state, North Carolina, the Identity Theft Protection Act of 2005 requires a report in situations like the one described above. The statute requires the company to give notice to it’s customers and to submit a report to the Department of Justice.
The reporting form has one question that you want to be prepared to answer. They ask you if the “information breached or potentially breached was password protected or encrypted in some manner.” They further ask you to “describe the security measures protecting the information.” Your answers become part of the public record. The last thing you want is to have a public record that makes it clear that you’re slack about protecting your client’s private data.
How can you protect the data?
One thing you can do is password protect the computer. That’s a start.
You can also encrypt the data. Microsoft provides instuctions for the Windows operating system. Apple provides instructions for OS X. There are numerous commercial encryption products and TrueCrypt is a free open-source disk encryption product for Windows, Mac OS X and Linux. This is a task for your I.T. support person unless you really enjoy playing with your computers.
None of this is rocket science and you owe your clients an effort to keep their private data private. We practice in an area where privacy is a major concern. Don’t look like a slacker in public.
Related articles:
