X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
As general counsel and chief privacy officer, Leslie Bender has to make sure that the sensitive patient data her company handles stays secret. But in August her employer, Receivables Outsourcing, Inc., which handles outsourced back-office services for hospitals, got some alarming news. Five laptops were given to auditors at a field office and stolen the next day. Bender interrogated the IT staff: How secure were the lost machines? Was data stored on them? How accessible was the C drive? “I had to have [the IT staff] calm me down,” she says. But she caught a lucky break. “The laptops were new and weren’t programmed yet with software,” she says. The Timonium, Maryland-based company still doesn’t know what happened to the machines. Replacing the laptops will cost the small business almost $10,000. But things could have been much worse. This past April the Health Insurance Portability and Accountability Act (HIPAA) went into effect. Under that statute, ROI has an obligation to make sure that anyone who shouldn’t see hospital data doesn’t. In the past year Bender has worked with her IT staff to set up policies to minimize the risks associated with laptop, or notebook, computer use among the company’s 255 employees. These include better password protection, secure networks for transferring information between a laptop and a home network, and reporting procedures that employees must follow when a laptop goes missing. Bender is not alone. The spike in notebook computer use has other in-house lawyers poking their heads into the IT department offices to check up on security, too. Laptop sales surpassed desktop computer sales for the first time this past May, according to New York-based market research group NPD Group. Notebook computers now comprise 54.2 percent of the $500-million-per-month U.S. computer sales market; in January 2000 they accounted for only 25 percent. They’ve become ubiquitous in the workplace in a very short time. Stamford, Connecticut-based Gartner, Inc., estimates that companies have bought more than 50 million in the past three years. Gartner projects that corporate America will buy 50 million more in the next two years. If laptop use by in-house lawyers is at all indicative of corporate use in general, notebooks are replacing desktops as the computing tool of choice. According to Corporate Counsel‘s 2003 in-house tech survey ["The High Cost of Low Tech," May], 54 percent of company lawyers report using a laptop at work instead of a desktop. (Of those who use a desktop, 31 percent work with a laptop when they travel.) But popularity has its price. According to Columbus-based Safeware, The Insurance Agency, Inc., which publishes an annual study, more than half a million laptops were lifted last year, up from 200,000 stolen in 2000. The Federal Bureau of Investigation says that laptop theft is the second-most common form of computer crime, after virus-related offenses. Nearly 63 percent of the 530 U.S. corporations, government agencies, and universities the agency surveyed last year reported that they had laptops stolen. The Price Of Portability Until recently many companies and organizations relied on their IT departments to decide which security devices to invest in and how best to incorporate them into laptops. But given the rise in theft, and new regulations � such as HIPAA and California’s new privacy statute, S.B. 1386, which went into effect this past July and safeguards customer data � in-house lawyers have also started to get involved in these decisions. “Privacy and security are now my full-time occupations here,” says Thomas Young, an in-house lawyer at the Hartford-based insurance company Aetna Inc. Young was promoted to chief privacy officer last year. Since then, he has led a project to identify who among the company’s 27,500 employees handles private health information, and how that information is kept secure. An Aetna spokesperson estimates the insurer has spent in the “tens of millions of dollars” implementing security measures as a result of HIPAA. In the past decade data has become even easier to transport than it is to create. In the 1990s companies started integrating network communications and notebook computers into operations, and white-collar employees became untethered from their brick-and-mortar workspaces. Now, on any given day, airports and Starbucks caf�s teem with laptop-equipped traveling office workers. New technologies have accelerated this trend, thanks to advances in miniaturization. Wireless technologies (such as 802.11 wireless fidelity, or “Wi-Fi,” allowing fast mobile Internet connections in the office and on the road), have made laptops even more alluring. That’s the good news. But “the fact that a laptop is smaller and lighter than before makes it easier for someone to swipe,” says Michael Vatis, former director of the FBI’s National Infrastructure Protection Center, now at the Markle Foundation in New York, which studies public uses for computer technology. Vatis also says that when users hook into Wi-Fi networks, with their less-than-airtight security, they are also vulnerable to hackers gaining access to sensitive files. The tale that is told most often by security experts is the experience of Irwin Jacobs, CEO of San Diego�based QUALCOMM Incorporated. In 2000 Jacobs was publicly humiliated after telling a conference room full of journalists that his laptop contained proprietary information that would be valuable to foreign governments. (Qualcomm was in the midst of negotiating large deals in China.) Later during that conference, Jacobs’s laptop was stolen � right from the podium from which he had spoken. The laptop’s fate remains unclear; Qualcomm declined to speak about the incident. Most worrisome for in-house lawyers, though, is the rash of privacy regulations that have been enacted on federal and state levels. They are creating what many lawyers say are de facto obligations for companies to upgrade their security. Besides HIPAA, there’s the Gramm-Leach-Bliley Act of 1999, a federal law that went into effect in 2001 that requires financial companies to inform customers of their privacy policies. Lawyers say it leaves companies open to negligence lawsuits if they don’t safeguard information adequately. There is also California’s new privacy law. That regulation requires companies to inform customers when their private information is compromised � such as when a laptop is stolen containing customer names and Social Security numbers. Brian Hengesbaugh, an associate at Baker & McKenzie’s Chicago office who specializes in IT and e-commerce issues, calls such laws “a potential logistical and public relations nightmare for any company that loses a laptop.” Smart Cards And Passwords To prevent these nightmares from becoming reality, tech-savvy companies are taking steps to keep their eyes trained on their all-too-mobile equipment. As the April deadline for HIPAA compliance drew near, general counsel Linda Tiano worked with the IT department of her company, WellChoice, Inc., parent of New York’s Empire Blue Cross Blue Shield, to draft a list of good practices. Everyone at the 5,700-employee New York-based company was informed that placing sensitive data on the thousands of WellChoice laptops was prohibited. Tiano also took it a step further. What if a thief used a stolen laptop, whose owner had previously set it to bypass password prompts, to get into the company network? To protect against that scenario, Tiano says, the company adopted a common business strategy � the use of personal identification numbers and smart cards. Everyone at the health care provider who uses a laptop is issued a SecureID card, which fits into a slot on the laptop, as well as a password. The SecureID card has a number on it that changes every 60 seconds, a number the network records for authentication. As for the password, only the laptop user and the IT staff know it. Without the card in the slot and a valid password, the laptop won’t get past a log-in prompt when starting up. At New York-based Lehman Brothers, vice president and counsel Joseph Steffan says SecureIDs and passwords help prevent hackers from burrowing into the financial services company’s network. But unlike WellChoice, Lehman allows sensitive data to be placed and stored on notebooks. Doing business sometimes requires it, he says. The new California law � which Steffan calls “a huge, huge measure driving us” � has prompted some of these safeguards. He points out that under the statute, companies don’t have to report compromised data on stolen laptops if the information is “presumed secure.” As a result, Steffan says Lehman recently installed encryption software on its estimated 15,000 notebook computers. In addition, Lehman has begun implementing such biometric security devices as fingerprint and retina scanners to verify a user’s identity when logging in. The company takes other drastic steps, too. “Information security gets paged if someone plugs a personal laptop into the network,” Steffan says. “Only company laptops are allowed.” Others say measures like these still aren’t enough. Vincent Polley, deputy general counsel at the New York and Paris�based Schlumberger Limited, which provides systems support to major energy companies, says his company uses smart cards. But Polley says the biggest problem with laptop safety is the lax way employees handle the computers. “Sometimes the smart cards are in the machines and the PIN has been entered when the laptop goes missing [leaving the data on it open to anyone in possession of the computer],” he says, There is one way to guard against this, Polley says: Make employees pay for the cost of a laptop when it’s stolen. Polley says that since the policy was enacted at the beginning of this year, there has been a 50 percent reduction in the number of laptops reported lost. The policy has altered employee behavior at the 78,000-employee company, where almost half the workers use laptops. Polley adds, “When I go to conferences, there are a lot more people these days who are locking their laptop by cable to the conference tables.” Room For Improvement But for every company that employs a smart card, statistics released last year by the San Jose-based Infonetics Research show there are four businesses that don’t. And for every company that uses firewalls and virtual private networks on its laptops to secure communication flow to and from its intranet, there are three companies that have shrugged it off. Some businesses are lax about the use of employee-owned computers on their networks. Take, for example, GreenLine Systems, Inc., a San Francisco-based start-up that provides risk management software for transportation supply chains. The company has a handful of subcontracts with the Transportation Security Administration to ensure the safety of cargo entering U.S. seaports and airports. GreenLine seems like the perfect place to have ironclad security in place. After all, the company sells its security expertise to its clients. Plus, its general counsel sits on the American Bar Association’s Information Security Committee. But despite all that, vice president�risk management and general counsel Charles Miller acknowledges that virtually everyone at the company uses personally owned laptops that may or may not be secure. Miller says he doesn’t know how secure they are because the company has not issued a laptop policy yet. “We are not doing all the things we should be doing,” admits Miller, who says he will address laptop use soon.
Click here for the related article, “Laptop Lockdown.”

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.