Data Privacy Day brings reminder that businesses should require encryption on laptops and mobile devices
February 2, 2017
Data Privacy Day was January 28th – the annual event, coordinated by the National Cyber Security Alliance, celebrates the signing in 1981 of the first international treaty addressing privacy and data protection.
On February 1st, a Texas hospital received its belated Data Privacy Day gift – a $3.2 million penalty for failing to require its employees to encrypt laptop computers and other mobile devices containing personally-identifiable information.
The violation stemmed from two incidents: first, an unencrypted, non-password protected BlackBerry mobile device was left at Dallas/Fort Worth International Airport; subsequently, an unencrypted laptop was stolen from the hospital. Both devices contained electronic health records of thousands of people. The Children’s Medical Center of Dallas received the fine from the U.S. Department of Health and Human Services, which found the hospital had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to implement policies requiring employees to encrypt data and protect electronic devices.
When we speak to groups about data privacy, one of the statistics that audiences find mind-boggling is how many laptop computers are lost in airports each year. Studies suggest as many as 12,000 laptops are lost each week in U.S. airports.
One of the most practical steps that a business can take to avoid liability for a data compromise is to require that employees encrypt files stored on laptops or data storage devices (USB or thumb drives) and password-protect any mobile device that can be used to access the company’s network.
This is especially important if employees keep files containing personally-identifiable or other protected information (such as Social Security numbers, financial account information, or protected health information) stored on devices, or can use their laptop or phone to access such files on your company’s network. The same is true if they are working remotely with sensitive business information, such as customer files or trade secrets.
While the idea of “encrypting” files may sound complicated, one example of a reasonable data protection measure is simply enabling the lock-screen passcode on a smartphone. But reports show that about one-third of all smartphone owners have never set a passcode on their device. On laptops, individual folders containing sensitive information also can be password-protected. For particularly sensitive data, stronger programs for easy encryption are readily available.
Deciding on the proper level of protection is a matter of risk assessment: you should encrypt anything that has, or can provide access to, data that could cause substantial harm if it fell into the wrong hands.
The McNees Privacy & Data Security team helps businesses to implement reasonable data security policies that require encryption of protected data, along with other practical steps to protect from the legal liability and harm to reputation that results from a data breach.