From the Mind of Jason Zandri

By Jason R. Vallee
Record-Journal staff
jvallee@record-journal.com
(203) 317-2225

As published in the Record Journal Saturday December 19, 2009

Follow all the news directly on the Record Journal Website for the most up to date information. www.myrecordjournal.com

Write a letter to the editor letters@record-journal.com

The Christmas and New Year’s holidays often involve travel and can require both government and private employees to work at home. As people consider travel­ing with their laptop computers to get that extra work done this holiday season, Connecticut At­torney General Richard Blumen­thal is warning employees to be vigilant and use safe practices to protect sensitive information.

Information theft can become a nightmare for both companies and their clients, Blumenthal said, and failure to protect infor­mation or respond to stolen in­formation can be a costly deci­sion.

“First and foremost, if there is any type of personal data breach, whether through a private com­pany or government entity, there is a legal obligation for the ser­vicer to contact both the authori­ties and the clients or consumers who may have been affected,” Blumenthal said.

That was why Blumenthal said he was upset when an investiga­tive report this month revealed that Health Net, which earlier this year admitted losing equip­ment containing sensitive per­sonal data about its insurance customers, had known about the breach for more than six months before reporting it and had lied about the equipment and infor­mation that had been stolen.

Once information is stolen, he said, companies should be ex­pected to report the theft within a reasonable amount of time — and Blumenthal defined that period as a few hours to a few days at most, not weeks or months. He said that clients must also be no­tified as quickly as possible.

Blumenthal has been working with the company to seek protec­tion for those who may have been affected, he said Friday.

For Connecticut residents, this was one of two incidents in the past two years that left people feeling victimized. On Long Is­land in 2007, a laptop com­puter was stolen from the front seat of a car belonging to an employee of the Department of Revenue Services.

Files on the laptop con­tained the records of about 106,000 taxpayers — including names, addresses and Social Security numbers.

Industry academics and ex­perts said it can be difficult to restore data or protect infor­mation once it is stolen. The best approach in protecting in­formation is to prevent prob­lems in the first place, they said.

“Stolen data is a nightmare. Once it happens, you are damned if you do and damned if you don’t,” said Erik Semmel, vice president of TAB Com­puter Systems and host of the radio program, “Computer Talk with TAB.” “The best way to protect your company is to let clients know, but at the same time talking about a theft has a negative effect on the company.”

Semmel and Bruce White, a professor of information sys­tems management at Quinnip­iac University, each said the best protection against infor­mation theft is to use encryp­tion codes to seal sensitive data. Encryption codes work by putting a wall around infor­mation; a code is required to unlock the information.

“It’s kind of like a pay-per-­view channel on cable televi­sion,” Semmel said. “The chan­nel is scrambled until the company enters a code. Only then can you watch the pro­gram.”

White added that the pass­words should be complicated and should never be written down or left in a place where they can be found easily. In ad­dition, he said, using a pass­word that includes capitaliza­tion and numbers can make it more difficult to decipher.

There are other tools that can help protect information, although they are less com­mon. White pointed to a pro­gram called Computrace Lo-Jack that, if installed, can allow authorities to trace a stolen laptop computer.

Another program available through several companies can be used to destroy any en­crypted data if a laptop is stolen, Semmel said. These systems send out a distress sig­nal through the Internet if au­thorities are alerted that a lap­top has been stolen and, once connected, they immediate erase the encrypted data. These systems are used most often with companies in the in­surance or medical fields, he said.

The two experts each said basic physical security, includ­ing locks, and removing lap­tops from public view can also be strong deterrents to theft.

Steve Montemurro, Meri­den’s director of management information systems, and Cheshire Town Manager Michael Milone each said his community has been fortunate not to have had information breaches.
Encryption plays a large role in the protective efforts of both communities, but in Meriden, where laptops are more prevalent among employees, there are also proto­cols in place to prevent items from being stolen.

Montemurro and City Man­ager Lawrence J. Kendzior each said employees are re­quired to seek permission when taking laptops from the office. Employees also are re­quired to use a lock and key to secure laptops when they are not being moved between lo­cations.

Both towns also require em­ployees to adhere to written codes of conduct that prevent personal use of the laptops and outline the approved uses for each employee. Milone said those who don’t obey receive strict disciplinary action.

“The severe sanctions in­cluded suspension or termina­tion,” he said. “It may seem ex­treme, but we have a responsibility to protect this information for our residents and it’s been an effective way to enforce the policy.”