By Jason R. Vallee
Record-Journal staff
jvallee@record-journal.com
(203) 317-2225
As published in the Record Journal Saturday December 19, 2009
Follow all the news directly on the Record Journal Website for the most up to date information. www.myrecordjournal.com
Write a letter to the editor letters@record-journal.com
The Christmas and New Year’s holidays often involve travel and can require both government and private employees to work at home. As people consider traveling with their laptop computers to get that extra work done this holiday season, Connecticut Attorney General Richard Blumenthal is warning employees to be vigilant and use safe practices to protect sensitive information.
Information theft can become a nightmare for both companies and their clients, Blumenthal said, and failure to protect information or respond to stolen information can be a costly decision.
“First and foremost, if there is any type of personal data breach, whether through a private company or government entity, there is a legal obligation for the servicer to contact both the authorities and the clients or consumers who may have been affected,” Blumenthal said.
That was why Blumenthal said he was upset when an investigative report this month revealed that Health Net, which earlier this year admitted losing equipment containing sensitive personal data about its insurance customers, had known about the breach for more than six months before reporting it and had lied about the equipment and information that had been stolen.
Once information is stolen, he said, companies should be expected to report the theft within a reasonable amount of time — and Blumenthal defined that period as a few hours to a few days at most, not weeks or months. He said that clients must also be notified as quickly as possible.
Blumenthal has been working with the company to seek protection for those who may have been affected, he said Friday.
For Connecticut residents, this was one of two incidents in the past two years that left people feeling victimized. On Long Island in 2007, a laptop computer was stolen from the front seat of a car belonging to an employee of the Department of Revenue Services.
Files on the laptop contained the records of about 106,000 taxpayers — including names, addresses and Social Security numbers.
Industry academics and experts said it can be difficult to restore data or protect information once it is stolen. The best approach in protecting information is to prevent problems in the first place, they said.
“Stolen data is a nightmare. Once it happens, you are damned if you do and damned if you don’t,” said Erik Semmel, vice president of TAB Computer Systems and host of the radio program, “Computer Talk with TAB.” “The best way to protect your company is to let clients know, but at the same time talking about a theft has a negative effect on the company.”
Semmel and Bruce White, a professor of information systems management at Quinnipiac University, each said the best protection against information theft is to use encryption codes to seal sensitive data. Encryption codes work by putting a wall around information; a code is required to unlock the information.
“It’s kind of like a pay-per-view channel on cable television,” Semmel said. “The channel is scrambled until the company enters a code. Only then can you watch the program.”
White added that the passwords should be complicated and should never be written down or left in a place where they can be found easily. In addition, he said, using a password that includes capitalization and numbers can make it more difficult to decipher.
There are other tools that can help protect information, although they are less common. White pointed to a program called Computrace Lo-Jack that, if installed, can allow authorities to trace a stolen laptop computer.
Another program available through several companies can be used to destroy any encrypted data if a laptop is stolen, Semmel said. These systems send out a distress signal through the Internet if authorities are alerted that a laptop has been stolen and, once connected, they immediate erase the encrypted data. These systems are used most often with companies in the insurance or medical fields, he said.
The two experts each said basic physical security, including locks, and removing laptops from public view can also be strong deterrents to theft.
Steve Montemurro, Meriden’s director of management information systems, and Cheshire Town Manager Michael Milone each said his community has been fortunate not to have had information breaches.
Encryption plays a large role in the protective efforts of both communities, but in Meriden, where laptops are more prevalent among employees, there are also protocols in place to prevent items from being stolen.
Montemurro and City Manager Lawrence J. Kendzior each said employees are required to seek permission when taking laptops from the office. Employees also are required to use a lock and key to secure laptops when they are not being moved between locations.
Both towns also require employees to adhere to written codes of conduct that prevent personal use of the laptops and outline the approved uses for each employee. Milone said those who don’t obey receive strict disciplinary action.
“The severe sanctions included suspension or termination,” he said. “It may seem extreme, but we have a responsibility to protect this information for our residents and it’s been an effective way to enforce the policy.”
