In 2011, we saw a number of data breaches resulting from the loss of data on laptops. Almost one in three breaches related to lost or stolen laptops; most of which could be easily avoided. http://www.netdiligence.com/files/CyberLiability-0711sh.pdf With the average cost per breach reaching $2.4 Million, you would expect more companies to take more seriously the safety of laptops and regulation of the data on them.
Yet just before the New Year, officials at the University of Mississippi Medical Center in Jackson and the Mississippi Department of Health announced a breach affecting nearly 1,500 patients. The patients participated in research studies and their information was in two password-protected databases on an unencrypted laptop, which was briefly left unsecured at a clinic. The first database contained medical record numbers, age, sex, race, zip code and blinded test results on about 1,400 patients who are being notified by mail. http://www.healthdatamanagement.com/news/breach-notification-hipaa-protected-health-information-43809-1.html/
In 2012, I expect the FTC, HHS’ OCR and state Attorneys General to bring actions for laptop breaches and provide guidance on security requirements for laptops. For example, I would expect encryption of sensitive data stored on laptops to be a focus. In fact, Massachusetts law requires encryption of all personal information stored on laptops and portable devices. 201 CMR 17.04(5). Companies not doing business in Massachusetts should do so regardless. If nothing else, encryption of the data may excuse the need to provide notice if the laptop is lost or stolen.Some other suggestions include implementing policies that require: