Before you save sensitive data to any mobile device, it is your responsibility to:

• Determine if your organization allows you to remove the data in question from the office in the first place. Are you allowed to save that database, Excel file, Word document, customer list, employee record, intellectual capital, etc. on your laptop, thumb drive or other mobile device?
• Decide if it is absolutely necessary to remove it from the more highly-controlled and secure environment of the office. In many of the major cases of reported data breach, the data stored on the mobile device did not actually need to be there in the first place.
• Verify that you have been authorized by your supervisor to place a copy on your device. When in doubt, check with your manager, supervisor or privacy officer to determine the correct course of action.
• Exhaust all other lower-risk alternatives for accessing the data. In many cases, it is possible to utilize a secure remote access connection to access the data so that it never leaves the company premises. You lower your personal liability when you access the data through centralized, highly secure methods.

As you save sensitive data to the device, it is your responsibility to:

• Minimize the number of records you transfer. If you don’t need the entire contact database, take only the records that you need. In case of a breach, this minimizes exposure.
• Minimize the corresponding fields for each record transferred. If you only need names and phone numbers, don’t transfer additional account information such as address, account numbers, etc.
• Consider de-identifying the data to render it anonymous. For example, if you track medical records using a Social Security Number but are transferring the data to do a high-level analysis of overall profitability, there is no need to include the SSNs in your transfer. Exclude that column from the data you take with you.

Before you leave the office, it is your responsibility to:

• Attempt to encrypt the individual data file. In addition to encrypting the data device itself, it is possible in many software programs to encrypt the individual data file, giving an added layer of protection.
• Make sure your data device has been encrypted. This will most often be the responsibility of your IT department, but it is your responsibility to verify that they have done their job.
• Protect your device with a strong password that utilizes letters, numbers, symbols and upper/lower case characters where possible?
• Protect the individual sensitive files with a separate, strong password. The programs that allow you to encrypt individual files will also allow you to assign individual passwords to the file.

Once you have left the office, it is your responsibility to:

• Utilize a secure wireless internet connection only (e.g., in airports, hotels, coffee shops, etc.). Make sure your IT department has enabled WEP wireless encryption on your wireless device.
• Run a secure firewall between your laptop and your connection to the internet.
• Email sensitive data only when absolutely necessary and even then, use an encrypted, password-protected format?
• Physically secure (lock down) the device when in transit (e.g., in your car, in the airport, in your hotel room).
• Utilize Laptop Anti-theft Best Practices

Click here to view the embedded video.

When you no longer need the sensitive data on your device, it is your responsibility to:

• Remove and electronically destroy all remnants of the sensitive files on your device (e.g., digital shredding, low-level formatting and occasionally, like in the case of DVDs, CDs and tape backups, complete physical destruction). If this task falls under the responsibility of your IT department, it is your responsibility to make sure, to the best of your ability, that they do their job.

If this seems like a great deal of responsibility, that’s because it is. In the information economy, our most valuable assets are the information that we collect, store and protect every day. As executives or employees of our respective organizations, it’s not just profitable to protect sensitive information; it’s also the right thing to do.

John Sileo speaks to corporations about data breach protection. His clients include the Department of Defense, Pfizer and the FDIC. Contact John directly on 1.800.258.8076 to learn more.

Related posts:

1. Data Breach Speaker: Organized Crime + Vendor Error
2. The 7 Deadly Sins of Privacy Leadership: How CEOs Enable Data Breach
3. Protect Your Laptop from Identity Theft while Traveling

 First, a little background. During the speech, I shared three general techniques with them to help them protect the identities they hand every day (their clients’ and their own):

1. The Privacy Reflex. How to recognize a scam, fraud, identity thief or dishonest transaction before it harms you. This uses a combination of anti-social engineering tools that retrain the audience to trust their instincts when they are sharing data (either their own or their clients).
2. The Interrogation. How to ask effective and highly specific questions in order to determine who can be trusted. 
3. Targeting the Enemy. In this section, I talk about the specific tools that can be used by financial planners to lower the risk that either their identity or their client’s identity is stolen. This included stopping financial junk mail, moving to on line statements, freezing credit, limiting data collection inside of the business, protecting laptops and mobile data devices, investing proportionally to value in regard to professional document shredding and computer network security, and utilizing existing Identity Surveillance tools (http://www.csidentity.com/, http://www.annualcreditreport.com/, eMoneyAdvisor) to protect client identities.

But during the speech, I gave them a piece of advise that I would like to amend. One of the most frequent forms of the theft of financial advisor client information happens when a laptop computer is stolen from the advisor. And one of the most common places this happens, ironically, is when the advisor is attending an out-of-town conference or meeting. Instead of lugging the laptop with them to each event, it’s just easier to leave it back in the hotel room.

But when you ask yourself who is in control of that computer once you have left the room, the answer is full of risk. Of course, it’s the cleaning staff. Most room service personnel are trustworthy, but you can’t bank on that always being the case. With that in mind, I recommended several options to protect the identities on that computer:

1. First of all, use strong passwords and data encryption to protect the data on the notebook computer in case it does disappear.  
2. Stop carrying data on your computer that you don’t absolutely need. If you don’t need to have client information on there, don’t put it on in the first place.
3. Carry it with you to the events. Of course, when you set it down during a coffee break, your risk goes back up.
4. Lock the laptop in the room safe. Sometimes they don’t fit, so I suggest that you pull the hard drive out of the laptop (which is where all of the identity lives) and place that in the safe.
5. Use the hotel safe. Most hotels will lock up computers for you in their safe. Now you just need confidence that the hotel staff are trustworthy.
6. The option that I liked best (until yesterday) was to place the DO NOT DISTURB sign on my door as I leave each morning so that no one enters my room. True, your room doesn’t get cleaned, but you are keeping potential thieves not just from your computer, but from any client documents, passports or intellectual capital that might be in the room. Hiding things is a poor option, as a thief will know every one of those spots by heart.

Unfortunately, when I got back to my hotel room at the Marriott after spending the day in downtown Los Angeles, the cleaning staff had eventually ignored the Do Not Disturb sign and cleaned the room anyway. You should have seen me go after the manager who was on duty. Not only is this a violation of my privacy, it is a violation of hotel policy.

Or is it?

No one on duty yesterday could tell me what the policy is for a room with a Do Not Disturb sign on it. If it hangs all day, are they allowed to enter the room? At this hotel, it would appear so, but absolutely no one could tell me the ACTUAL POLICY. Which means that this is no longer as strong an option as I thought it was. I have stayed in more than 400 hotels over the past few years and this is the first time someone has entered the room when the sign was hanging on the door (that I know of). Luckily, my computer was in the safe and my client files were with me in downtown LA (I like to use layered levels of protection and not just rely on one factor – I’m a bit paranoid in that way because of what I’ve been through).  But I need to add a caveat to yesterday’s speech: Do Not Disturb signs don’t always work. If you are going to use this option, make sure you call down to house keeping and let them know that you don’t want your room cleaned or entered.

In the meantime, lock the data up in the safe as much as possible.

John Sileo
Identity Theft Speaker for Financial Planners

Related posts:

1. Data Breach Protection: Laptop Theft Best Practices
2. Identity Theft Prevention in a Hotel