Is There a Problem Here? Privacy and Data Security in the Mobile CPA Firm
Look around your firm today. It seems like everyone is using a notebook computer, right? Not just audit teams, but partners, consultants, and accountants from all departments of the firm are carrying their computers with them as they travel out and about. With decreasing prices and increasing capabilities, today’s notebooks are in many cases the equal of most desktop machines. Included in that increased capacity are huge hard drives capable of storing enormous amounts of data. The IBM ThinkPad, on which I am writing this article, has a 50GB drive, and I’m sure you can find one around that’s even bigger!
Now, think about the nature of the data on these notebooks. Applications such as ProSystem fx Engagement, CaseWare Working Papers, or CSI’s Engagement CS allow the synchronization of whole engagement files from network servers to notebooks which will be carried into the field. Add to that the email mailboxes and other miscellaneous files that almost everyone has on their machines and you quickly realize there is a whole lot of very sensitive data being carried around. Aside from confidential financial data, your files likely contain sensitive personal data on clients and employees which may include names, social security numbers, birth dates, and other tools to help a potential identity thief.
From a privacy, confidentiality, and security perspective, if that doesn’t make you pause and think for a moment, it should!
Theft of notebook computers (and therefore the loss and compromise of their data) is a large and growing problem. While firm statistics are hard to pin down, recent estimates include over 600,000 notebook thefts each year (Safeway Insurance) and a 1 in 10 prospect of a notebook being stolen (Gartner Group). It’s clear that every firm is at risk for the potential loss of a computer and its data, and it’s not just theft that causes a problem. While it may not seem likely to just “lose” a computer, it can happen easier than you might think. An associate of mine was traveling on business last week and when she sent her notebook through the airport security scanner it and another just like it came out at the same time. She and the other computer owner puzzled for a moment over whose was which, and finally they booted up both machines just to be sure each of them got the right one. Imagine what would happen if she had not taken that precaution and two travelers headed in opposite directions, each carrying the other’s computer! It’s for this exact reason that I take the simple precaution of taping a business card to the outer cover of my notebook.
Obviously you will feel that you have important responsibilities to safeguard these mobile gold-mines of sensitive data. Accountants have always assured their clients that they take confidentiality seriously and devote serious energy toward training staff on how to safeguard client information. However, the stakes have recently become much higher. State privacy protection laws, such as California’s Security Breach Notification Law (“SB 1386”), now impose strict reporting requirements if personal data is compromised, including notification of each individual affected. The cost of notification to large numbers of compromised individuals, or the payment for a period of credit report monitoring, will far exceed the cost of replacing the lost computer! At the time of this writing, 23 states have some form of privacy breach notification in place.
So, what are the prudent measures you should put in place to prevent the loss of your valuable data, to render it unusable in unauthorized hands, and to enhance your chances of recovering it if it is lost? Fortunately there are several steps you can take.
Actions to Take
The first step, and the easiest one to implement, is awareness training for your staff. It’s all too easy to believe “I’ll only be gone for a moment” or “my stuff is safe here.” People must work from the mindset of “If I let my guard down for a moment, my computer will be gone.” For those who are good-hearted and trusting by nature, this is a hard concept to work from, but in this case it’s a necessity. Simply put, if there is not someone you know and trust to watch your computer for you, then take it with you wherever you go. That’s why they are made to be portable! Probably the most common story of a stolen computer is one taken from a parked car. While it may feel awkward to take a computer bag with you for a quick stop at the dry cleaner or grocery store, it’s far less awkward than trying to explain why a thief was able to break a window and your computer is gone.
Simple physical security devices like lockdown cables are not foolproof, and stories abound about how easy it is to defeat one, but the idea is to make your computer harder to just snatch and grab. Slow down a thief any way you can; a lockdown cable surely can’t hurt!
Beyond these simple physical measures, which are mostly the application of good common sense, there are some sophisticated electronic measures which you can put into place as well. These fall into two broad categories, and both “kick in” after a computer has actually been lost. The first is designed to safeguard the data on the machine, while the second helps recover a machine after it’s been stolen.
Safeguarding data when it is in unauthorized hands is a matter of controlling access and encrypting data. Controlling access is a factor of strong password protections. Microsoft defines “strong” passwords as 14 characters or more and a combination of letters, numbers, and special characters, with a mix of upper and lower case characters. Applying these passwords to your Windows login will make it more difficult for a casual thief to log in as “you”, thereby gaining access to your “My Documents” folders. A casual thief is probably more interested in the hardware than the data, and will be looking for a quick resale.
A determined intruder, looking for the data itself, will take more deterrence than Windows passwords. Here you will need to encrypt the data itself. Encryption can occur at the file and folder level, or an entire drive. While Microsoft provides a form of encryption through Windows Encrypted File Service (EFS), that encryption is keyed to your user login. If the intruder is able to login as “you”, he or she has access to your data even if it is encrypted with EFS. Therefore, most firms who go this route will seek a third party product such as PGP or AlphaCipher from Vadium Technologies, which rely on encryption techniques above and beyond the Windows operating system.
Accountants using encryption technology need assurances that application databases such as tax, audit automation, and time and billing will operate correctly from encrypted disks or folders. The major software vendors test their products under a variety of scenarios and will be able to advise their customers of encryption solutions which are fully compatible with their products.
While encryption strategies will help safeguard the data on a lost or stolen notebook computer, they do nothing to help recover the missing machine. Fortunately there is a class of products which do just that! These products require an additional password to achieve normal operation. If the computer is used without the proper credential, the software “phones home” to a security number which can then begin to trace the computer through its Internet address and alert both the user and law enforcement agencies. Many computer manufacturers are now offering the option of including CompuTrace by Absolute Software with new computer orders. Another product providing similar service is The CyberAngel. The CyberAngel also provides “on-the-fly” encryption to secure sensitive data. This encryption is triggered when the proper security password is not correctly used.
Now equipped with an understanding of the problem, and some possible solutions, what should be your plan of action? Consider these four steps:
- Educate for awareness
- Document alert procedures
- Evaluate and select products
- Maintain and update
Educate for Awareness
As mentioned above, the first step toward reducing the prospect of loss is to train your staff on the risks they face and how to mitigate them. This should be part of every new employee orientation. Document your policies in your employee manual and conduct periodic refresher training throughout the year.
Document Alert Procedures
Don’t wait until a computer goes missing to think about what actions you should take. Develop a complete checklist now, including who should be notified, what they should be told, and how to comply with any applicable state reporting laws. Be sure you have a complete list of equipment types and serial numbers to aid in identification if a computer is recovered. Remember, in many states this is a legal compliance issue! Don’t compound your problem by failing to report properly.
Evaluate, Select and Install Products
You should be looking for a variety of tools: physical security aids, encryption solutions, and recovery aids. Of the many available, one will be right for you and your firm. Weigh the cost of their acquisition with the potential cost of dealing with large amounts of lost data and this quickly looks like a good investment.
Maintain and Update
Like many things we face in practice, this is not an issue you can address once and have solved forever. Threats will change, risks will change, and requirements will change. Be sure your plans, your people, and your processes change along with them. Conduct periodic training updates, ensure software is kept up to date with the latest versions, and keep your emergency reaction checklists current.
If you haven’t yet experienced the loss of a computer full of sensitive and confidential data, you are living on borrowed time. Plan ahead now to minimize the risk, reduce your exposure, and enhance your chances of recovery. Manage your risks through proactive strategies. Let good planning reduce the need for good luck!
Written by Kenneth M. McCall, MBA, MCP, CDIA+ a Senior Consultant for Boomer Consulting, Inc. - www.boomer.com.