Thank you for sharing!

Your article was successfully shared with the contacts you provided.
As general counsel and chief privacy officer, Leslie Bender has to make sure that the sensitive patient data her company handles stays secret. But in August, her employer, Receivables Outsourcing Inc., which handles outsourced back-office services for hospitals, got some alarming news. Five laptops were given to auditors at a field office and stolen the next day. Bender interrogated the IT staff: How secure were the lost machines? Were data stored on them? How accessible was the C drive? “I had to have [the IT staff] calm me down,” she says. But she caught a lucky break. “The laptops were new and weren’t programmed yet with software,” she says. The Timonium, Md.-based company still doesn’t know what happened to the machines. Replacing the laptops will cost the small business almost $10,000. But things could have been much worse. This past April, the Health Insurance Portability and Accountability Act (HIPAA) went into effect. Under that statute, Receivables Outsourcing Inc. (ROI) has an obligation to make sure that anyone who shouldn’t see hospital data doesn’t. In the past year, Bender has worked with her IT staff to set up policies to minimize the risks associated with laptop, or notebook, computer use among the company’s 255 employees. These include better password protection, secure networks for transferring information between a laptop and a home network, and reporting procedures that employees must follow when a laptop goes missing. Bender is not alone. The spike in notebook computer use has other in-house lawyers poking their heads into the IT department offices to check up on security, too. But popularity has its price. The Federal Bureau of Investigation says that laptop theft is the second-most common form of computer crime, after virus-related offenses. Nearly 63 percent of the 530 U.S. corporations, government agencies, and universities the agency surveyed last year reported that they had laptops stolen. Until recently, many companies and organizations relied on their IT departments to decide which security devices to invest in and how best to incorporate them into laptops. But given the rise in theft, and new regulations � such as HIPAA and California’s new privacy statute, S.B. 1386, which took effect this past July and safeguards customer data � in-house lawyers have also started to get involved in these decisions. “Privacy and security are now my full-time occupations here,” says Thomas Young, an in-house lawyer at the Hartford, Conn.-based insurance company Aetna Inc. Young was promoted to chief privacy officer last year. Since then, he has led a project to identify who among the company’s 27,500 employees handles private health information, and how that information is kept secure. An Aetna spokesperson estimates the insurer has spent in the “tens of millions of dollars” implementing security measures as a result of HIPAA. CAUTIONARY TALE One story told often by security experts is the experience of Irwin Jacobs, CEO of San Diego-based Qualcomm Inc. In 2000, Jacobs was publicly humiliated after telling a conference room full of journalists that his laptop contained proprietary information that would be valuable to foreign governments. (Qualcomm was in the midst of negotiating large deals in China.) Later during that conference, Jacobs’ laptop was stolen � right from the podium from which he had spoken. The laptop’s fate remains unclear; Qualcomm declined to speak about the incident. Most worrisome for in-house lawyers, though, is the rash of privacy regulations enacted on federal and state levels. They are creating what many lawyers say are de facto obligations for companies to upgrade their security. Besides HIPAA, there’s the Gramm-Leach-Bliley Act of 1999, a federal law that went into effect in 2001 that requires financial companies to inform customers of their privacy policies. Lawyers say it leaves companies open to negligence suits if they don’t safeguard information adequately. There is also California’s new privacy law. That regulation requires companies to tell customers when their private information is compromised � such as when a laptop is stolen containing customer names and Social Security numbers. Brian Hengesbaugh, an associate at Baker & McKenzie’s Chicago office who specializes in IT and e-commerce issues, calls such laws “a potential logistical and public relations nightmare for any company that loses a laptop.” SMART CARDS AND PASSWORDS To prevent these nightmares from becoming reality, tech-savvy companies are taking steps to keep their eyes trained on their all-too-mobile equipment. As the April deadline for HIPAA compliance drew near, General Counsel Linda Tiano worked with the IT department of her company, WellChoice Inc., parent of New York’s Empire Blue Cross Blue Shield, to draft a list of good practices. Everyone at the 5,700-employee New York-based company was informed that placing sensitive data on the thousands of WellChoice laptops was prohibited. Tiano also took it a step further. What if a thief used a stolen laptop, whose owner had previously set it to bypass password prompts, to get into the company network? To protect against that scenario, Tiano says, the company adopted a common business strategy � the use of personal identification numbers and smart cards. Everyone at the health care provider who uses a laptop is issued a password as well as a SecureID card, which fits into a slot on the laptop. The SecureID card has a number on it that changes every 60 seconds, a number the network records for authentication. As for the password, only the laptop user and the IT staff know it. Without the card in the slot and a valid password, the laptop won’t get past a log-in prompt when starting up. At New York-based Lehman Brothers, Vice President and Counsel Joseph Steffan says SecureIDs and passwords help prevent hackers from burrowing into the financial services company’s network. But unlike WellChoice, Lehman allows sensitive data to be placed and stored on notebooks. Doing business sometimes requires it, he says. The new California law, which Steffan calls “a huge, huge measure driving us,” has prompted some of these safeguards. He points out that under the statute, companies don’t have to report compromised data on stolen laptops if the information is “presumed secure.” As a result, Steffan says Lehman recently installed encryption software on its estimated 15,000 notebook computers. In addition, Lehman has begun implementing such biometric security devices as fingerprint and retina scanners to verify a user’s identity when logging in. The company takes other drastic steps, too. “Information security gets paged if someone plugs a personal laptop into the network,” Steffan says. “Only company laptops are allowed.” Others say measures like these still aren’t enough. Vincent Polley, deputy general counsel at the New York- and Paris-based Schlumberger Ltd., which provides systems support to major energy companies, says his company uses smart cards. But Polley says the biggest problem with laptop safety is the lax way employees handle the computers. Sometimes the smart cards are in the machines and the PIN has been entered when the laptop goes missing, he says, leaving the data on it open to anyone in possession of the computer. But for every company that employs a smart card, statistics released last year by the San Jose, Calif.-based Infonetics Research show there are four businesses that don’t. And for every company that uses fire walls and virtual private networks on its laptops to secure communication flow to and from its intranet, there are three companies that have shrugged it off. Some businesses are lax about the use of employee-owned computers on their networks. Take, for example, GreenLine Systems Inc., a San Francisco-based startup that provides risk management software for transportation supply chains. The company has a handful of subcontracts with the Transportation Security Administration to ensure the safety of cargo entering U.S. seaports and airports. GreenLine seems like the perfect place to have ironclad security in place, but the company has not issued a laptop policy yet. “We are not doing all the things we should be doing,” admits Charles Miller, vice president-risk management and general counsel,who says he will address laptop use soon. Eriq Gardner is a staff writer for Corporate Counsel, a magazine affiliated with Legal Times and where a longer version of this article first appeared.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.