Thousands of businesses are storing terabytes of confidential business and personal information on laptops, tablets, smartphones, PDAs, removable disk drives, flash memory cards, etc. — leading to a spate of highly publicized security breaches involving the loss or theft of equipment containing customer records, Social Security numbers, drivers license numbers — and more. Your business could be next!
Both federal legislation (such as the ADA, FMLA, and HIPAA) and a variety of state laws require companies to keep customer and client information confidential and to report the disclosure or theft of this data. To protect themselves against liability for these leaks and to manage the risk, more and more businesses are tailoring security policies for their Personal Electronic Devices (PEDs)
Your policy should follow these guidelines:
- Require encryption of all data on PEDs that carry confidential records.
- Implement “pass phrases” containing letters, numbers, and symbols — and change them frequently.
- Secure wireless networks with firewalls and passwords.
- Create a two-step authentication process when using a PED for remote access.
- Use cable locks for laptops and place them and other PEDs in locked storage when not in use.
- Have a “time-out” function for mobile devices that requires user re-authentication after 10 minutes of inactivity.
- When feasible, require that the PED be marked as company property.
- Have your IT department record the model number and serial number of all PEDs and store digital photographs of each device.
- Create an automatic login to access to the PED and its confidential data.
- Allow copying or extracting access only with two-factor authentication.