Protecting Laptops Should Be a Business Priority: Here’s Why!
Stolen or lost laptops have become one of the most common business security incidents, according to the 2014 Data Breach Investigation Report by Verizon.
With a ruling last spring by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), they’ve become one of the most expensive too.
The OCR slapped huge non-compliance penalties on two companies (Concentra Health Services and QCA Health Plan) who each had a laptop stolen that contained electronic protected health information (ePHI), covered under the Health Insurance Portability and Accountability Act (HIPAA).
Trouble was the data was not encrypted.
Concentra’s laptop hard drive contained 870 patient names, Social Security numbers and pre-employment work fitness test results. The company was fined $1.7 million – or about $1,954 per record affected by the data breach.
QCA, whose laptop hard drive contained the ePHI of 148 individuals, was fined $250,000 – or about $1,689 per record.
While privacy laws and legislation vary across different industry sectors, the overall message is the same for every business: protect sensitive information on company laptop hard drives.
Here are different ways to protect laptops and avoid costly security breaches.
- Utilize anti-theft and data protection tools such as encryption. Susan McAndrew, OCR’s deputy director of health information privacy stated the following regarding compliance fines. “Our message to these organizations is simple: encryption is your best defense again these incidents.” If encryption is inappropriate, take other measures to protect the data.
- Keep laptops secure. Leaving computers unattended when outside the workplace, and working on a laptop when travelling and not using a computer privacy screen are two of the risky practices employees routinely engage in, according to Ponemon Institute's The Human Factor in Data Protection 2012. The solution, provide training and security awareness programs for all employees who have laptops and who travel for business or work from home.
- Data classification. Document management policies should include data classification so that private information is only distributed where needed. The Human Factor in Data Protection study also identified “carrying unnecessary sensitive information on a laptop when travelling” as a risky employee behavior.
- Risk assessment. Conduct an information security risk assessment to identify vulnerabilities – and implement solutions.
- Incident reporting. Implement policies that require employees to report a lost or stolen laptop as soon as possible. Acting quickly may help prevent or reduce further data loss, fines and customer backlash, according to the Experian Data Breach Response Guide.
- Dispose of laptop computers properly when out-dated or no longer needed. The only way to completely protect information on a laptop hard drive is through professional hard drive destruction. Simply deleting data from laptops does not ensure sensitive information is completely removed. In fact research by MIT showed that sensitive information from wiped hard drives can be recovered – here is an infographic that explains. Partner with a document shredding company that provides hard drive and media destruction.
Here is more information about hard drive and media destruction.