Thousands of businesses are storing terabytes of confidential business and personal information on personal electronic devices (PEDs), such as laptops, PDAs, removable disk drives, flash memory cards, etc. — leading to a spate of highly publicized security breaches involving the loss or theft of equipment containing customer records, Social Security numbers, drivers license numbers, and more. Could your organization be next?
Both federal legislation (such as the ADA, FMLA, and HIPAA) and a variety of state laws require companies to keep customer and client information confidential and to report the disclosure or theft of this data. To protect themselves against liability for such leaks and to manage the risk, more and more businesses are tailoring security policies for their personal electronic devices (PEDs).
Such a policy should:
- Require encryption of all data on PEDs that carry confidential records.
- Implement pass phrases containing letters, numbers, and symbols — and change them frequently.
- Secure wireless networks with firewalls and passwords.
- Create a two-step authentication process when using a PED for remote access.
- Use a cable lock for laptops and place them and other PEDs in locked storage when not in use.
- Have a “time-out” function for mobile devices that requires user re-authentication after 10 minutes of inactivity.
- When feasible, require that the PED be marked as company property.
- Have your IT department record the model number and serial number of all PEDs and store digital photographs of each device.
- Create an automatic login to access to the PED and its confidential data.
- Allow copying or extracting access only with two-factor authentication.
Our risk management professionals stand ready to offer you advice on creating a PED security policy. Just e-mail or call us.