GPSolo December 2006
The Best Way to Deal with Disaster: Avoid It!
We have devoted this issue of GPSolo’s Technology and Practice Guide to disasters, focusing on reducing the impact of disasters on your practice by planning ahead for recovery. This column will take a somewhat different approach, focusing on avoiding disaster.
Disasters come in many forms and as the result of numerous causes in nature, accidents, and at the hands of other people. Most disaster recovery plans use timely and competent backup as a routine but critical foundation. Unfortunately, backing up your work will not help you recover from a very common disaster.
Stolen Laptops and PDAs
More and more people keep more and more critical data on their laptops and PDAs. We hear with increasing regularity about laptops stolen from corporate employees, university staff, bank officers, and government workers. Those laptops seem invariably to have personal or proprietary information or private and sensitive information about customers, students, or clients. By way of example:
• A laptop stolen from the University of California at Berkeley contained personal information about almost 100,000 alumni, graduate students, and past applicants.
• A laptop stolen from the car of an MCI analyst contained personal information, including names and Social Security Numbers, of approximately 16,500 past and current employees.
• A laptop stolen from Fidelity Investments held the names, addresses, birth dates, Social Security Numbers, and other personal information of approximately 196,000 clients.
• A laptop stolen from the home of an employee of Nationwide Retirement Solutions reportedly contained personal information on some 38,000 City of Chicago employees and retirees.
• In perhaps the most startling example of this type of loss, a laptop stolen from the house of a staff member of the US Department of Veterans Affairs contained some 26 million names, birth dates, and Social Security Numbers of veterans.
• A laptop stolen from a government-owned vehicle contained personal information on some 133,000 Florida residents. The information included names, addresses, birth dates, and Social Security Numbers.
• A laptop stolen from Compass Health, a treatment provider for mental illness, contained personal and health information about some 8,000 individuals.
• A recent article in the Washington Post (September 22, 2006) reported that the U.S. Commerce Department has reported 1,100 laptop computers missing since 2001. Of that number, 250 came from the Census Department, potentially compromising personal information of more than 6,000 families. All of the computers had password protection. Only 107 of them had fully encrypted data files.
You can find a more complete, more up-to-date, and more shocking list of such events on the Privacy Rights Clearinghouse website, www.privacyrights.org/ar/ChronDataBreaches.htm. As of September 8, 2006, the Privacy Clearinghouse calculated the involvement of some 93 million individual records in such incidents.
As of June 2006, Consumers Union cataloged 31 states with laws requiring disclosure of certain losses of personal data. No such statutes existed prior to 2005. Consumers Union provides a listing of the states with such laws, along with a brief summary of the statutes.
Although attorneys will not likely have personal information about hundreds of thousands of individuals on their laptops, it is quite likely that they will have some personal information about themselves and their clients. Some of that critical data could include the lawyers’ own information (credit card account numbers, bank account numbers, Social Security Number, online passwords, etc.). Additionally, as attorneys, they may have personal and/or confidential information relating to clients and their affairs. Other attorneys may have proprietary information about their client’s business or another company partnering with them or a company that their client may consider acquiring. For that matter, some clients who come to us seeking legal advice respecting their own exposure and how to limit it may have such information on their computers. If any of this information comes into the possession of a third person, many bad things can happen.
For example, if you keep your personal banking information on your laptop or in your PDA and lose it by accident or theft, a third party may come into possession of that information. With that information, the third party could access your bank accounts and move money out of them. If you use online banking and bill paying, accessing the bank’s website could allow the third party access to your credit card account numbers. Information such as names, addresses, birth dates, and Social Security Numbers may suffice to allow third parties to establish credit for themselves in your name or in the name of someone else with compromised information.
The process of protecting oneself after the loss of such data tends to be both painful and protracted. The loss of proprietary information may create unrecoverable losses for businesses and individuals. The loss of private or confidential information of others could result in extensive liability for the responsible party.
While, undoubtedly, some thieves target particular computers for the information they may contain, the irony is that most computer theft apparently arises out of a desire to get the equipment itself for personal use or resale.
Desktop computer theft could, of course, result in the same type of problem. As a practical matter, however, the portability of laptops makes them primary targets. A thief can walk off with a laptop left in an office, a car, a restaurant, a hotel, or any number of other places. The far less mobile desktop computer does not get around quite so much or grow legs quite so easily. Additionally, you can leave desktop equipment physically secured to dissuade interested passers-by from stray thoughts of mischief.
Lock Up Your Laptop
Protection against the type of disaster that results from the loss of information requires a two-pronged defense. First, you want to prevent the loss of the laptop. Although you may not completely remove the risk of loss, you can reduce the exposure. Exposure reduction requires common sense. Laptop theft thrives on the carelessness of the owner, who may leave the computer unlocked and unattended in an office, at a coffee shop or other public place, in a hotel room, or in an unlocked car. Below are some laptop Dos and Don’ts.
- 1. Don’t leave laptops unattended and unprotected at any time.
- 2. Don’t leave laptops in unlocked cars.
- 3. Don’t leave laptops unattended and unlocked in open offices.
- 4. Don’t leave unlocked laptops sitting out in hotel rooms.
- 5. Don’t leave laptops unattended or unlocked at the table at Starbucks (or some other wireless hotspot) while you go to pick up your latte or to use the restroom.
- 6. Don’t carry a laptop in a computer case and leave the case unattended in a public place (airport lounge, bank, etc.).
- 7. Don’t carry a laptop in a case obviously designed to carry laptops.
- 1. Do buy and use a computer lock. Virtually all laptops have a connection for a lock (often referred to as a Kensington lock connection). When you use the lock, chain the computer to something secure. Use such locks in your office, home, and when you travel. You can get computer locks from a number of sources. For some time I have used Targus locks (www.targus.com/us). They make several versions of cable locks, which generally cost between $30 and $55. You can get them with keys or combination locks (I prefer the combination style, as it makes for one less key to carry). Targus also sells one cable lock reinforced by steel (they call it armor). The armor adds a significant amount of weight, but it gives you additional protection against someone cutting your cable and walking off with your laptop. You can also get computer locks with built-in alarms for additional protection.
- 2. Do lock your car. If you leave a computer in the car, lock it in the trunk. Note, however, that leaving a computer locked in the trunk during the summer on an extremely hot day for a prolonged time can damage the computer.
- 3. Do use hotel safes. Many hotel rooms have safes that will accommodate your laptop (even though you may have to angle it in). If the room has such a safe and you plan to leave the computer in the room, put it in the safe. If the room does not have a safe or the safe is too small to hold the computer, at least lock the computer up to something secure. In situations where you have no hotel safe available, you can also check it at the front desk or hide it in your room. I have, for example, been known to put the computer envelope in a suitcase, lock the suitcase, and then use a lock to chain the suitcase to an ironing board. It sounds strange when I write about it, but it did give the computer some protection against walking away. Certainly a determined thief could have gotten through all of that if he wished. Still, I am of the belief that, the more you make thieves look, the less likely it is that they will find what they seek. Moreover, I can safely conclude that these steps work some of the time. I travel a lot and never leave home without my computer. I have employed these techniques, and at least so far, my luck has held out, and I have not yet lost a computer to a thief.
- 4. Do carry the computer in a bag that does not look like a computer bag.
- 5. Do buy a computer envelope that provides padding for your computer and sufficient protection that you can safely carry it around in a briefcase, suitcase, carry-on bag, or backpack.
- 6. Do not check your laptop when you fly if you can possibly avoid it. Recent changes in airline regulations have made it so that you may have to check your computer to fly from certain airports. If you are traveling from such an airport, consider leaving your computer at home. If you must take it with you and check it, you will want to protect it with as much padding as possible. Consider getting a hard-shell padded case for it. Alternatively, get a well-made and well-padded computer envelope and pack it in the middle of your suitcase with as much clothing around it as possible. Remember that once you check the luggage, you risk never seeing it again. For that reason, if you have to check your computer as luggage, follow the suggestions below respecting data protection.
No safeguards will guarantee you complete protection against loss or theft. You can take some comfort in the knowledge that you can insure against the loss of the hardware, that properly backing up will allow you to get up and running on a new computer quickly, and that you can find and acquire acceptable computers easily in most places. But what about the data on the stolen hardware? What if critical or sensitive data falls into the wrong hands?
Protect Your Data
That brings us to the second prong of our defense: keeping the data protected and out of the hands of those who would misuse it. You can take a number of different approaches:
1. Keep data off your laptop. Clearly, if the laptop does not contain confidential information or other critical data, the theft of the computer poses little threat of data loss or misappropriation. Keeping the data off the laptop means that you have to access it from some source other than the laptop’s hard disk. You can accomplish that by accessing it on your office network or by storing it off-site in a protected location, online or off. If you use an online location or your office network, you can access the data whenever and wherever you can connect to the Internet. Unfortunately, that means you cannot use it when you do not have Internet access. If you do use this approach, do not take advantage of the features that allow your computer to save your access/password information or automatically log on to the site. Manually entering that information preserves the safety of the data. Allowing the computer to retain the information and enter it automatically makes the computer a key that opens the door to the stored information for anyone who uses the computer.
2. Password-protect your laptop. Virtually all operating systems allow you to password-protect the computer. You should always do that. Yes, a clever hacker can often bypass passwords at this level, but you improve the likelihood of protecting the data by using such passwords. Basic rules for password selection: (1) Do not choose passwords easily guessed by others. Your name, birth date, spouse’s name, children’s names, etc., do not give as much protection as something not so closely tied to you personally. (2) Use passwords containing a minimum of six characters (the more the merrier). (3) Always use both numbers and letters in your passwords. (4) Passwords are generally case sensitive, so use upper- and lowercase letters. (5) For a dash of spice and to make the password harder to guess, throw in a symbol or punctuation mark if allowed. Random selection makes passwords harder to guess but also makes them harder to remember. If you use Windows, you should also change the name of the administrator account when setting up your password, just to make things a little harder for anyone trying to circumvent the passwords.
One final suggestion about passwords: Do not leave them lying around where someone can find them. Keep them in a safe place (encrypted in your password-protected PDA may prove a good choice). Whatever you do, do not tape them to the bottom of the computer case or computer, write them in permanent marker on the computer case or computer, or put them on a card that you leave in the computer bag all the time. (Note: These password tips will also help you select more secure passwords for network access, remote access to your office computer or network, online banking, etc. Better safe than sorry.)
3. What about biometric technology? Many computers now come with fingerprint readers for access. If your computer does not come with a built-in fingerprint reader, you can add it through a third-party USB device or, in some cases, an add-on device offered by the computer manufacturer. Although these devices have not yet achieved perfection, they do work fairly well; when they err, they generally allow access where they should not, rather than keeping you out of your own computer. The quality of biometric security continues to increase, and manufacturers make new options available. For example, Fujitsu recently announced a USB connective device it calls Palm Secure (www.fujitsu.com), which reads the pattern of veins in the palm of your hand instead of your fingerprints. If you opt for biometric security, a built-in reader will probably make you happier if you are mobile. The external readers make for one more thing to carry around, find space for in your bag, and lose.
4. Encrypt your data. No matter what other security measures you take, you will want to encrypt and password protect your data. The encryption process renders the data unreadable without a key to decrypt it and make it usable again. The standard in place for many years, DES (which, cleverly enough, stands for “data encryption standard”) uses a 56-bit key to encrypt and decrypt data in 64-bit blocks. For most users DES still represents fairly strong encryption, but recently an advanced encryption standard (AES) was introduced. AES allows the use of 128-, 192-, or 256-bit keys in 128-bit blocks for encryption and decryption.
Nothing good comes without risks. The risks associated with encryption include the possibility of losing the key (leaving no way to unlock your data). Additionally, many encryption programs tie the encrypted data to the user account. The destruction or loss of the user account can make it difficult, if not impossible, to decrypt the data. To limit exposure to that problem, you should create a recovery agent or a second account that has the ability to recover the data. For an excellent tutorial on encrypting files in Windows, see Beginners Guides: Preventing Data Theft from a Stolen Laptop.
5. Separately store encrypted files. The use of encryption software to protect your files on the laptop should, in conjunction with the other measures discussed above, give you a feeling of reasonable security respecting your data. If you want even more protection, you can take those encrypted files and move them off your computer onto an external storage device. Assuming the size of your data files allows it, thumb drives have become a favorite external storage device in the last year or so. Those devices now come with biometric protection built in. Transcend Information, Inc. (www.transcendusa.com) recently released such devices. They sell a high-speed 2 GB USB 2.0 thumb drive with a built-in fingerprint reader for less than $70. They also sell a version that turns into a software lock for your computer, but with no fingerprint reader. You can get a 4 GB drive in that version for $110. Once you move the encrypted files to the thumb drive and erase them from your hard disk, you will have protected the data fairly well. Either keep the drives with you or lock them in the hotel safe when you are not using them.
Remember that nothing works perfectly and the possibility remains that, even after you erase it, a determined hacker could find the data on your hard drive and crack the code, but at some point in time you have to accept the fact that you have reduced the odds of a problem as much as you reasonably can.
What About PDAs?
PDAs represent a different problem than computers. We may have some personal information on a PDA, but more often than not, beyond names, addresses, and phone numbers, the personal information on a PDA relates to the owner rather than third parties. Many of us keep banking information, PIN numbers, passwords, decryption codes, and the like on our PDAs. And because many PDAs also function as telephones and have the ability to get e-mail, the possibility exists that your PDA might contain or provide direct access to confidential information about one or more of your clients.
A recent survey concluded that at least a third of PDA users still do not even password-protect their PDA devices. Although I do not have survey data to support it, anecdotal information strongly suggests that more people lose their PDAs than lose their laptops. PDAs often get left behind on restaurant tables, in taxis, or in a variety of other locations. As portable as laptop computers have become, PDAs remain more portable and, therefore, more easily stolen.
Protect the data on your PDA as you do on your laptop. If you don’t need your PDA with you, do not leave it lying around in plain sight. Make sure that it is securely locked up and protected. Additionally, you can get encryption software for both the Palm OS and Windows Mobile platforms, the two most popular operating systems for PDAs. If you keep sensitive data on your PDA, consider encrypting it for the protection of all concerned. You can also get biometric devices for some PDAs. Follow the advice above respecting computer passwords, especially if you have all your computer and data encryption passwords on the PDA (make sure that you can remember the password for the PDA or you will lose access to that information). You might want to write it on a slip of paper and keep it in your wallet. Or, just as an added precaution, you might want to write it backward on a piece of paper and put it in your wallet.
If you exercise reasonable care and caution, you can keep your data reasonably safe and secure. Remember: The data you save may be your own!
Jeffrey Allen is the principal in the Graves & Allen law firm in Oakland, California. A frequent speaker on technology topics, he is the special issue editor of GPSolo’s Technology & Practice Guide and editor-in-chief of the Technology eReport. He also teaches business law in the graduate and undergraduate divisions of the Business School of the University of Phoenix. He can be reached at firstname.lastname@example.org.