Line of defense: simple, complex security measures help prevent lost and stolen laptops.

• Author: Bueb, Francis
• Position: PRACTICEMANAGEMENT

Did you read about the U.S. Department of Veteran Affairs employee who lost a laptop that contained personal information of some 26 million veterans? Or how about the AICPA employee who lost a laptop that contained Social Security numbers, and other personal information, of many AICPA members? And then there was the auditor whose laptop, which contained more than 500 Social Security numbers of current and former employees of a large law firm's pension plan, was stolen.

CPAs used to secure data in their offices or locked in briefcases. Today, however, with the ease of accessing and storing sensitive information on laptops, CPAs need to reconsider how they keep client information confidential and secure.

How Do I Secure My Laptop?

Because of their portability, laptops pose a great opportunity to work from anywhere. But with that opportunity comes risk, and the loss incurred when a laptop is lost or stolen is generally much greater than simply replacing the hardware.

There may be extensive effort and cost in reconstructing lost data, not to mention the costs to take corrective measures relating to the theft of sensitive information.

A primary step toward protecting client data is to adopt some general standards that make sense for the firm. While one size does not fit all, some effective controls that enhance data security can be implemented, regardless of firm size or complexity.

Such standards, which should be put in writing and communicated to employees regularly, should address the type of information that's stored on laptops. For one firm, it may be acceptable to store client files, but for other firms, the decision may depend on the type of client, the sensitivity of the information and control measures already in place.

With regard to private or sensitive information, the best--and obvious--solution is not loading it on a laptop unless absolutely necessary to perform the work. If it is necessary, put security controls in place before loading any files.

For example, consider having the client redact sensitive components of the information if they are not needed for your scope of work. Also consider password protecting files on spreadsheets to prevent unauthorized access.

Another way to mitigate risk is to think carefully about where and when to bring a laptop. After all, the best way to avoid theft or loss is to eliminate the possibility.

For example, it may be possible to leave your laptop behind if, while traveling, you only need to check e-mail and have access to a computer facility, such...