Their widespread use sometimes makes relatively new technologies seem safer than they are. In fact, even popular and advantageous innovative devices may have significant risks. Prominent examples include data-filled laptops and flash drives. Recurrent headlines make it clear: Your laptop could become one of the thousands lost or stolen every year. Not surprisingly, if the device contains client tax returns or other sensitive information, you and your firm could be ethically, legally and financially responsible for a security breach and its consequences.
The danger is too great to ignore, but these convenient devices have become a tactical necessity for CPAs on the go. This article looks at new technologies that mitigate the risks of portable data storage devices so you can use them without hesitation.
Serious data losses can occur without warning. Consider the fictitious case of CPA Rhonda, the director of admissions and financial aid for a college.
After she barely makes a commuter flight to meet potential students and their parents, Rhonda has to sit at the back of the crowded cabin and let a flight attendant stow her carry-on bag up front. Inside the bag is her laptop, which contains the financial histories of the prospective students’ families.
Once the plane lands, a watchful thief snatches Rhonda’s bag before she gets to the cabin door. Rhonda had to obey the flight attendant when her bag was stowed for the flight, but the real issue is whether the information on her laptop is safe from the thief’s prying eyes. Convenient new encryption products could have tipped the odds in Rhonda’s favor.
Emergency: What to Do After a Security Breach
Immediately take these actions:
1. Determine the nature of the lost data and the states where the data subjects live.
2. In consultation with legal counsel, determine how state laws apply. For example, notification is required only when certain types of information are lost, and may not be required if the information was encrypted. Determine whether state agencies or law enforcement must be notified as well as consumers.
3. If notification is required, do it promptly and in accordance with applicable state laws.
4. Determine what procedures are necessary to mitigate the effects of the breach. For example, deactivate accounts if users’ login IDs and passwords were lost. Initiate changes to prevent future data losses.
5. Finally, review and update the data breach response plan. If you do not have a plan, develop one immediately. A breach response plan—like a disaster recovery plan—should be part of every organization’s emergency preparedness program.
6. The AICPA and the Canadian Institute of Chartered Accountants (CICA) have jointly developed an Incident Response Plan that you can download for free here. It can help you develop a plan—or adapt your existing one—for managing a privacy breach.
NUTS AND VOLTS
Recent technological advances have expanded the array of encryption tools. Some are built into Windows and Apple operating systems you may already use. For other tools, you may need to buy new hardware or software. Some built-in programs do not enable you to encrypt external storage media, such as flash drives and CDs. You can, however, safeguard your portable data by using the encrypted flash drives or the add-on encryption software discussed below.
Operating system-based encryption. Users of the Ultimate or Enterprise versions of Microsoft Vista can employ BitLocker, a built-in encryption program. Once you activate BitLocker, it encrypts all files that are saved to the volume or drive you select.
Users of Windows Vista Business, Enterprise, and Ultimate; XP Pro; and Windows 2000 can use Microsoft’s Encrypting File System (EFS) to encrypt files or folders they choose. This, however, is user-selected, rather than full-disk, encryption. For details, see the sidebar “How to Activate Windows’ Built-In Encryption Tools.”
If an organization relies on user-selected encryption, it should stress to employees that the only data that do not need to be encrypted are those available to anyone. Examples include PowerPoint presentations that have been made to the public and information available on an open-access Web site. However, by permitting selective encryption, an organization risks that an employee will inadvertently misclassify information that should be—but is not—encrypted.
Mac users can choose FileVault, a 128-bit encryption program built into the Mac operating system. FileVault will encrypt information stored only in the home directory, but not in other directories, such as temp and log files. Therefore, it is less desirable than full-disk encryption. If you use FileVault, be sure to store all your sensitive data in the home folder of your Mac. To avoid mishaps, we recommend universal use of automated full-disk encryption products—either hardware or software.
Hardware-enabled encryption. Perhaps the simplest way to safeguard the data on your computer is to buy a new one with storage that supports encryption. On such systems, the hard drive has its own processor, which encrypts data as they are written onto the disk and decrypts data as they are read from the disk. Access to this type of hard drive is controlled by an online host system, a password or a smart card. This ensures it cannot be accessed by unauthorized users if it is removed from the original computer—a tactic often used by data thieves.
Some systems come with an external emergency “recovery key” stored on a special flash drive. It allows the owner to unlock a hard drive if he or she forgets or loses the password. One example is the Seagate Momentus family of hard drives. These are available on new laptops, including the Dell Latitude E6500. For $55, you can upgrade a standard 160 gigabyte hard drive to a 160 GB hard drive with full-disk, 192-bit encryption. You also can buy one of these drives and install it on your current computer. Additional information is available from Dell (www.dell.com) and Seagate (www.seagate.com).
If you plan to store sensitive information on portable media, do so only on devices that provide encryption, which is not found in inexpensive off-the-shelf flash drives. For example, MXI Security’s Stealth MXP Passport flash drive offers password and biometric (that is, fingerprint scan) authentication along with 256-bit encryption. Prices range from $187 for a 512 megabyte drive to $598 for a 16 GB drive. The company also has a portable hard drive, the Outbacker MXP, which has encryption, password and biometric features. Prices range from $379 for an 80 GB drive to $669 for a 320 GB drive. Additional information is available from MXI (mxisecurity.com).
IronKey makes several flash drives that have 128-bit encryption and also use biometrics and passwords. For extra protection, consider the IronKey Enterprise flash drive. It allows administrators to initiate a self-destruct sequence, which destroys the internal circuitry so that even the administrator cannot recover the data. Here’s how it works: This flash drive cannot be used on a computer that does not have an active Internet connection. Moreover, it is always ready to contact an owner-specified party (for example, the system administrator) over the active Internet connection whenever someone tries to access its contents. If the owner loses the drive, he or she should notify the administrator, who will remotely disable the drive when a thief or other unauthorized user attempts to read the drive’s data. Pricing information is available from IronKey (www.ironkey.com/enterprise).
Another useful product is SanDisk’s encrypted flash drive Cruzer Enterprise FIPS Edition. Federal Information Processing Standards (FIPS) are issued by the Department of Commerce’s National Institute of Standards and Technology. Federal agencies’ data security measures must comply with FIPS. Although commercial products are not required to satisfy FIPS, SanDisk and other vendors whose products meet that standard often mention it when marketing their products. This drive locks itself and completely prevents access after a set number of failed attempts to provide the correct password. Only an owner-identified party, such as the systems administrator, can unlock it if it is managed with SanDisk’s Central Management and Control (CMC) software. Prices for the drive, which employs 256-bit encryption, range from $87 for 1 GB to $385 for 8 GB. Pricing information on CMC software is available from SanDisk (www.sandisk.com).
Software-enabled encryption. Several vendors provide software that supports full-disk encryption as well as encryption of flash drives, all at 256-bit strength. Some organizations will appreciate this approach because they can license a single product that will serve the needs of all employees. This simplifies IT support, making it unnecessary to become familiar with numerous encryption methods. Symantec (www.symantec.com) offers three products that can encrypt entire hard drives and/or removable devices. McAfee (www.mcafee.com) offers one product that supports user-selected encryption and another that supports full-drive encryption.
TrueCrypt (www.truecrypt.org) offers a free, open-source product, and Check Point (www.checkpoint.com) and PGP (www.pgp.com) offer Windows and Mac versions of their applications. These three also support fulldrive encryption.
CHOOSING ENCRYPTION PRODUCTS
Now that you’ve seen which encryption products are available, consider the following criteria carefully before deciding which will best protect your data. Start by identifying the devices whose data should be encrypted (for example, desktop, laptop, removable media). Then, become familiar with encryption standards and measures, for example, FIPS and encryption key strengths. Also, consider additional security features, including passwords, biometric access, auto-locking and self-destruction capability.
Evaluate each hardware and software product to determine whether it matches your needs and practices, and determine how you can recover encrypted data if the original key is not available.
Understanding these issues will enable you to identify and implement the more cost-effective approach: augmenting your current desktop PC or laptop with encryption, or buying a new laptop with an encrypted hard drive.
Finally, don’t delay the purchase of a data security solution simply because it’s not perfect. Buy what you can now. Then continue searching, and upgrade your protection when possible.
How to Activate Windows' Built-In Encryption Tools
- BitLocker (for users of the Ultimate or Enterprise versions of Windows Vista) . To activate BitLocker, select Start, then Control Panel, Security, and BitLocker Drive Encryption. Then follow the menu prompts. Additional instructions are available at tinyurl.com/ct465d.
- Encrypting File System (for users of Windows Vista Business, Enterprise and Ultimate; XP Pro; and Windows 2000). To use the Encrypting File System, select the folder with your mouse, right-click on it, and select Properties and Advanced. In the Advanced Attributes box, check the box Encrypt contents to secure data. Click OK, and then Apply. You will be asked to confirm the attribute changes. We recommend that you use the Apply changes to this folder, subfolders and files option. That way, everything is encrypted in the folder you created and all subfolders. You can find more information at tinyurl.com/d2dfus.
Several of the devices and applications discussed in this article include ancillary features for safeguarding data. Passwords, smart cards, auto-lock capabilities, device self-destruction functions and biometric identification methods, such as fingerprint scans, all augment encryption and increase the number and complexity of obstacles separating confidential data from data thieves. Prudent CPAs will explore these technologies, stay abreast of related technological advances, and remain proactive. Don’t wait until it’s too late; protect your portable data now.
Laptops, flash drives, and other convenient devices may have significant unresolved risk exposures. Unless you encrypt or otherwise protect the data they contain, you’re endangering your business and career.
Federal, state, and local laws and regulations require professionals and institutions to safeguard all personal data they collect. Violating these statutes, related regulations or state laws may result in huge fines or damages awards. The cost of encryption, however, is comparatively minuscule.
Many cost-effective encryption products greatly improve the safety of sensitive data. Implement at least one immediately, and stay abreast of the expanding array of hardware- and software-based alternatives.
Perhaps the simplest way you can safeguard the data on your computer is to buy a new one with storage that supports encryption. To avoid mishaps, use automated full-disk encryption products—either hardware or software. Wherever possible, implement automated full-disk encryption. It’s safer than selective encryption applied at a user’s discretion.
If an organization relies on user-selected encryption, it should stress to employees that the only data that do not need to be encrypted are those available to anyone.
Simon Petravick , CPA, CIA, Ph.D., is a professor of accounting, and Stephen G. Kerr, CMA (Canada), Ph.D., is an assistant professor of accounting, both at Bradley University’s Foster College of Business Administration in Peoria, Ill. Their e-mail addresses, respectively, are firstname.lastname@example.org and email@example.com.
“Preventing Identity Theft Throughout the Data Life Cycle,” Jan. 09, page 58
“Test Your Information Security IQ,” July 08, page 50
“Get Ready for Vista,” May 07, page 54
AICPA TECH+ Conference, June 14–17, Las Vegas
For more information or to register, go to www.cpa2biz.com or call the Institute at 888-777-7077.
AICPA Privacy/Data Protection resources
The AICPA and the Canadian Institute of Chartered Accountants (CICA) have formed the AICPA/CICA Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). These and other privacy- and data-protection-related resources from the AICPA are available at www.aicpa.org/privacy.
IT Center and CITP credential
The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at www.aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Member Section or the CITP credential, visit www.aicpa.org/IToffers.