; Laptop Lockdown
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Laptop Lockdown


  • pg 1
									WSJ.com - Laptop Lockdown                                                                            Page 1 of 4

                           June 28, 2006

  Laptop Lockdown                                                         DOW JONES REPRINTS
                                                                                 This copy is for your
  Companies Start Holding Employees                                       personal, non-commercial use
                                                                          only. To order presentation-ready
  Responsible for Security                                                copies for distribution to your
  Of Portable Devices They Use for Work                                   colleagues, clients or customers,
                                                                          use the Order Reprints tool at the
  By M.P. MCQUEEN                                                         bottom of any article or visit:
  June 28, 2006; Page D1                                                  www.djreprints.com.

                                                                          • See a sample reprint in PDF
  The burden of lugging around laptop computers for work around the       format.
  clock is getting heavier as companies place more of the                 • Order a reprint of this article now.

  responsibility of guarding against theft and other security lapses on
  their employees.

  A number of companies, including Aetna Inc., Fidelity Investments and the U.S. unit of ING
  Groep NV, are revising their policies about how employees should handle confidential data
  stored on computers. Many employees are facing new restrictions on who can take confidential
  records out of the office and are receiving special training on how to keep data secure. Workers
  found violating security policies are being disciplined, or even dismissed.

  Boeing Co. now requires laptops to be physically locked with a cable to a stationary object at all
  times, whether they are in offices, conference rooms or a car, so that no one can walk away with
  them. The aerospace giant has stepped up enforcement of a rule that confidential data must be
  accessed only on company servers, not stored on laptops. Boeing officials have started conducting
  random audits of laptops to check for unauthorized or unsecured files.

  Some companies, including Aetna, the big health insurer, have begun telling employees that they
  can't use their own portable digital assistants such as Palm Pilots and BlackBerrys on company
  computers without permission. Other companies are disabling extra USB connections on
  workplace computers to make sure employees can't attach those accessories. And some even ban
  MP3 players in the workplace, security experts say. All these devices may lack encryption, and
  can be used to smuggle out confidential data.

  "Employees are the weakest link" in securing data, says Jon Oltsik, senior analyst for information
  security at Enterprise Strategy Group, an information-technology industry analysis firm.

  Before traveling on business, Marian Mays, payroll operations manager in Boeing's Seattle office,
  has started having her laptop examined by the company's security personnel to make sure she
  doesn't have any sensitive data stored on it. Once she is on the road, logging on to the company's
  server requires multiple passwords. "You just have to deal with it," she says. "We get creative
  with the passwords."

  The moves come amid several recent thefts of laptops containing sensitive information. This

http://online.wsj.com/public/article_print/SB115145402822192505-ivRZqY_7_l_Qg6rQH... 6/28/2006
WSJ.com - Laptop Lockdown                                                                      Page 2 of 4

  month, credit bureau Equifax Inc. said a laptop containing employee names and Social Security
  numbers was stolen from an employee traveling in England. In May, a data analyst with the
  Department of Veterans Affairs had a laptop stolen from his Maryland home that contained
  confidential information on 26.5 million veterans, military personnel and their spouses. To date,
  no identity thefts have been traced to these laptop thefts. But overall, more than 88 million
  Americans have been put at risk of identity theft from data breaches since early 2005, according to
  the Privacy Rights Clearinghouse, a nonprofit advocacy group.

  Financial-services companies, with their abundance of client data, are especially sensitive to
  security breaches. "Every firm has re-evaluated their policy on laptops," says Alan Sorcher,
  associate general counsel at the Securities Industry Association, a brokerage-industry trade group.
  "They know that losing a laptop is a significant thing." The group has convened an industry
  conference for November on data breaches and privacy law.

  Companies have long taken pains to secure data, but these efforts mainly focused on protecting
  computer networks from hackers and viruses. Only recently have laptops and other portable
  devices come under scrutiny, and this poses thorny issues for both employers and workers who
  routinely bring work home, says Philip S. Deming, president of a human-resources at a security
  consulting firm near Philadelphia. "Virtual offices make employees more productive because they
  work more than 40 hours a week, so how do you balance that?" he says.

  But the veterans department theft and other large data breaches helped to spur private industry to
  take data protection more seriously, even if this has affected employees' ability to work remotely,
  security experts say. At the VA, employees are barred from taking claims files out of the office
  and connecting to the department's network from home, until security reviews are completed. The
  analyst who took data home in violation of department policy was placed on administrative leave
  pending dismissal proceedings, along with one of his superiors. Another supervisor resigned, the
  VA says.

                                                                      Whether or not a company is
                                                                      cracking down on computer
                                                                      security, employees should
                                                                      consider protecting
                                                                      themselves, experts say.
                                                                      Employees should check
                                                                      company policies before
                                                                      working with confidential
                                                                      files away from the
                                                                      workplace, and use only
                                                                      secure Internet connections.
                                                                      They also should ask their
                                                                      information technology
                                                                      departments whether a laptop
                                                                      or portable device has the
  proper authentication and encryption software.

  Technology firms, meanwhile, are rolling out new products to help companies better secure their
  portable computer equipment. Among the recent offerings: biometric authentication, which scans
  your fingerprint to log in, and antitheft software that can track the location of a stolen laptop.

  Data breaches cost companies an average of $5 million per incident in direct costs such as

http://online.wsj.com/public/article_print/SB115145402822192505-ivRZqY_7_l_Qg6rQH... 6/28/2006
WSJ.com - Laptop Lockdown                                                                                               Page 3 of 4

  notifying victims, according to a study by the Ponemon Institute, an independent research group.
  Corporate reputations also can suffer, and Ponemon found that 20% of data-breach victims cut ties
  with institutions that compromised their privacy.

  What's more, companies face increased risk of legal liability. Since 2003, at least 32 states have
  passed laws requiring companies to notify victims when personal information is leaked. Several
  states, including California and Texas, allow individuals to sue organizations that fail to safeguard
  their private data. Federal statutes also permit government agencies to sue organizations over data

  Employers are increasingly protecting laptops with encryption software that scrambles data,
  making it difficult for thieves to use. But some types of the software can also slow down
  operations and workers sometimes avoid or forget to use it. As a result, some companies are
  holding employees responsible for ensuring laptops are encrypted before they take them off-

  After a Boeing laptop containing employee information was stolen from a hotel room last fall, the
  company retrained its staff in tightened security procedures. Employees and managers now must
  certify that they have been trained in the use of encryption, have installed it on their computers
  and understand the consequences of not using it. "Loading it is one thing, using it is another," says
  Debra Overlin, Boeing's director of human resources data privacy. Failure to follow the rules can
  result in discipline ranging from a letter of reprimand to termination, she says. (Encryption
  programs come in several types, but a common one requires the user to place files inside a special
  folder. Any document left outside the folder remains unencrypted.)

  Aetna also began requiring employees to be certified in using encryption after a company laptop
  containing customer information was stolen from an employee's car. The employee failed to have
  encryption software installed in the laptop before taking it out of the office and has been
  disciplined, the company says. Aetna held workshops over several weeks last month to answer
  staff questions about encryption.

  At ING Americas, none of the company's 5,000 laptops can leave company facilities until
  encryption software is loaded, the financial-services company says. The lockdown follows ING's
  disclosure last week that a laptop containing retirement-plan information on 13,000 Washington,
  D.C., employees was stolen from an ING agent's home.

  on 13,000 Washington employees was stolen from an ING agent's home.

  Write to M.P. McQueen at mari.mcqeen@wsj.com 1

               URL for this article:

               Hyperlinks in this Article:
               (1) mailto:mari.mcqeen@wsj.com

                               Copyright 2006 Dow Jones & Company, Inc. All Rights Reserved
         This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our
    Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones
                              Reprints at 1-800-843-0008 or visit www.djreprints.com.

http://online.wsj.com/public/article_print/SB115145402822192505-ivRZqY_7_l_Qg6rQH... 6/28/2006
WSJ.com - Laptop Lockdown                                                           Page 4 of 4

http://online.wsj.com/public/article_print/SB115145402822192505-ivRZqY_7_l_Qg6rQH... 6/28/2006

To top