05:55 PM
Minimize the Data, Maximize Laptop Security
Few would disagree that the securities industry has benefited immensely from the advent of the mobile workforce. But the proliferation of mobile devices among financial professionals has vastly increased the points of access for sensitive customer data -- for employees and criminals alike. Incidents of lost laptops have highlighted this vulnerability and the need for firms to reconsider the value of convenience.
In the interest of improving ease of access and usability for employees, financial firms historically have been careless in handling customer data on laptops and other mobile devices. "We retain a tremendous amount of sensitive data on consumers that we don't need to have," argues Troy Allen, chief fraud solutions officer, Kroll Fraud Solutions, a New York-based risk consultancy. "We transfer it and use it in inappropriate and unprotected ways, and we have built our business processes around its use."
Allen advocates implementing data minimization best practices among mobile employees. Data minimization includes collecting only data that is absolutely necessary to the business, keeping data for only as long as it's needed and purging it as soon as possible. Limiting the locations of sensitive data and securing them appropriately also are critical.
Given the encryption and secure networking capabilities available, Allen questions whether there ever is any excuse for storing unprotected data on mobile devices. Firms are trying to walk the line between employee convenience and customer security. But, he contends, all too often they fail.
In June, ING U.S. Financial Services learned this lesson the hard way. The firm realized that two laptops stolen in December 2005 contained sensitive customer data, and a third laptop was stolen from the home of an ING financial advisor. In total, as many as 21,500 records are estimated to have been exposed, although none of this information has been used for fraud or identity theft purposes, reports ING CIO Steve Van Wyck.
As a result, Van Wyck says, "We went through a lockdown process once we found that not all of our laptops were at the level of encryption and protection that we thought was required." All mobile devices were restricted to use on ING premises while they were updated with hardware encryption from Foxboro, Mass.-based Utimatico, he explains.
ING now encrypts every bit on their mobile hard drives, rather than relying on application-level encryption, adds Van Wyck. This, he contends, is an absolute necessity as the problem of laptop loss is perpetual. "We still continue to lose laptops," he concedes. "Anyone that tells you that they're not losing laptops is not aware of the fact that they are." --C.L.
Select Chronology of Laptop Losses
DATE | FIRM | INCIDENT | NO. OF RECORDS EXPOSED |
June 29, 2005 | Bank of America | Stolen laptop | 18,000 |
Aug. 30, 2005 | JP Morgan, Dallas | Stolen laptop | Unknown |
Late December 2005 | Ameriprise Financial | Stolen laptop containing Social Security and account information | Unknown |
Mar. 23, 2006 | Fidelity Investments | Stolen laptop containing information of HP, Compaq and DEC retirement account customers | 196,000 |
June 16, 2006 | ING Miami | Firm reports two laptops stolen in Dec. '05 | 8,500 |
June 17, 2006 | ING Washington D.C. | Laptop stolen from employee's home | 13,000 |
July 7, 2006 | NASD | Ten laptops stolen on Feb. 25 from investigators | 73 |
July 25, 2006 | Old Mutual Capital | Laptop stolen in May | 6,500 |
Source: Privacy Rights Clearinghouse
Back to the article The Trouble With Customers and Their Data