If Nothing Else, Encrypt Your Computers and External Drives!
As a Chicago business lawyer licensed in Illinois, I have to attend a certain amount of Continuing Legal Education every two years. So, last week I went to brush up on security and privacy matters at a Chicago Bar Association seminar entitled, "Encryption for Lawyers."
It was an excellent reminder of the stakes involved not just for lawyers, but all business owners and managers in this age of ever increasing electronic data. First, many financial, healthcare and other companies are subject to specific security, breach notification and corrective action regulations through HIPAA and similar legislation designed to protect personally identifiable information ("PII"). Second, the potential opportunities for breaches are mind numbing when considering all the technologies we use: computers, flash and other external drives, email, cell and smart phones, WiFi and wireless routers, Bluetooth headsets and online or "cloud" services. Third, every week brings new stories of hackers, like that of Google's experience in China, or lost laptops.
Days could be spent on studying regulations, guidelines and best practices. For example, just think about keeping track of, much less, securing all the places you have data either residing or being transmitted. Volumes have been written just on how to delete and destroy data from disks and drives before disposal. (One speaker's tip: Super Glue works well to disable thumb drives.)
For now, the key takeaways from the seminar were: "Handle PII like it is cash" and "Encrypt your computers and drives." I want to emphasize the latter because, in addition to basic use of passwords, it provides the biggest bang for the buck. There are free or relatively inexpensive encryption programs that require a password in order to fully start your laptop or other device. Thus, this is a fairly simple way to protect everything in case of loss or theft, which greatly reduces your exposure to negligence or regulatory violation claims. And, generally speaking, laws requiring notice of PII breaches to employees and customers are not triggered if lost data was encrypted.
For more detailed information and advice regarding information security and privacy legal considerations, contact our Chicago and suburban business lawyers.