In 2011, we saw a number of data breaches resulting from the loss of data on laptops. Almost one in three breaches related to lost or stolen laptops; most of which could be easily avoided. http://www.netdiligence.com/files/CyberLiability-0711sh.pdf With the average cost per breach reaching $2.4 Million, you would expect more companies to take more seriously the safety of laptops and regulation of the data on them.
Yet just before the New Year, officials at the University of Mississippi Medical Center in Jackson and the Mississippi Department of Health announced a breach affecting nearly 1,500 patients. The patients participated in research studies and their information was in two password-protected databases on an unencrypted laptop, which was briefly left unsecured at a clinic. The first database contained medical record numbers, age, sex, race, zip code and blinded test results on about 1,400 patients who are being notified by mail. http://www.healthdatamanagement.com/news/breach-notification-hipaa-protected-health-information-43809-1.html/
In 2012, I expect the FTC, HHS’ OCR and state Attorneys General to bring actions for laptop breaches and provide guidance on security requirements for laptops. For example, I would expect encryption of sensitive data stored on laptops to be a focus. In fact, Massachusetts law requires encryption of all personal information stored on laptops and portable devices. 201 CMR 17.04(5). Companies not doing business in Massachusetts should do so regardless. If nothing else, encryption of the data may excuse the need to provide notice if the laptop is lost or stolen.Some other suggestions include implementing policies that require:
- Shipments of new or unassigned laptops/mobile devices are to be stored in locked closets or rooms with controlled access and no false ceilings or partial walls within a reasonable time of receipt.
- A locking cable to secure the laptop/mobile device to a large stationary object, such as a desk or airplane seat, be issued with each laptop/mobile device and used when the computer is left unattended.
- Tamper-proof identification labels with the company name/ID shall be visibly placed on all laptops to assist in identification if stolen or misplaced. (Where a safety issue is involved, the local security environment may necessitate masking the company name.)
- The laptop/mobile device make, model, serial number and media access control address is to be recorded and stored in a safe location in order to give precise information to authorities in case of theft.
- Encryption to maintain confidentiality and protect against the bypass of software controls (e.g., booting from a system disk or USB, file encryption) must be utilized. Encryption must be used when sending and receiving sensitive data.
- Anti-virus/anti-malware software will be installed on the laptop/mobile device and all incoming disks/magnetic/digital media /jump drives should be virus‑checked before being used.
- To help prevent damage and theft, a laptop should not be placed in or as checked baggage. If a laptop must be left in an automobile, it must be stored in the trunk or otherwise out of plain view.