http://www.rednova.com/news/technology/205549/pass_the_aspirin/ 12 August 2005 The ubiquitous Laptop! So much in so small a package, and therein lies the probLem. More costLy than many desktop computers, they pack an entire office into a tiny box. Some community bankers "live" out of their Laptops. Which is fine unless the Laptop goes missing and private customer data is exposed to potential loss, and worse. At ABA's recent Regulatory Compliance Conference, speakers warned Listeners that one of the most common causes of customer data breaches is the "lost laptop." "I've had clients trolling the pawnshops, trying to find out what happened to their missing laptops," said Oliver Ireland, partner at the Morrison & Foerster law firm, in Washington, D.C. Gilbert Schwartz, partner at Schwartz & Ballen, also of Washington, advised bankers to be sure that any laptop that leaves the bank premises be equipped for data encryption. The only saving grace, he added, about the "lost laptop" is that thieves most typically are opportunists looking to simply fence the machine itself. William H. Henley, Jr., of the FDIC said the loss of a laptop protected by encryption might not have to be disclosed to the public- the federal guidelines give banks some leeway on disclosure. Henley, examination specialist in FDIC's Technology Supervision Branch, in its Division of Supervision and Consumer Protection, said this ultimately hinges on the bank's assessment of the likelihood of the encrypted data remaining so. The comments at the compliance conference prompted this month's Pass the Aspirin question. THE HEADACHE Lost laptops lay open lenders to liability: Does your bank have an established policy and procedure regarding removal of bank-owned laptops from the bank's premises and the inclusion of customer files on those laptops? REMEDY 1 Tom Mantor, president and COO, Bank of Walnut Creek, $500 million- assets, Walnut Creek, Calif. Our bank has an established policy whereby laptops may leave the premises. However, no customer information is stored on laptops. Customer information is stored on network drive and can be accessed off-site. In addition, only a handful of laptops are authorized and that is to select senior staff. By comparison, paper customer files are not allowed off-site. REMEDY 2 Jim Mathews, vice-president, Internal Audit, Valley Bank & Trust, $248.8 million-assets, Brighton, CoIo. Although we only have only a handful of these units in our bank that can be checked out, we adhere to our laptop usage policies very closely before releasing a unit. The major use of our laptops so far have been for use at off- site training sessions, allowing the officer an effective way to take notes, and to keep in touch with the bank as well through our network. The only encryption we use is what is provided by Microsoft in its software suite on the laptop. Mathews provided excerpts from the bank's laptop usage policy, which can be found at www.ababj.com. REMEDY 3 John Hutchison, senior vice-president-compliance, Capital City Bank Group, Inc., $2.3 billion-assets, Tallahassee, FIa. Yes, we have a policy. Any associate taking a laptop off bank premises must keep it in their personal possession. It cannot be checked at an airport, given to a hotel porter, or otherwise allowed out of the associate's hands, unless any client information on it has been encrypted. Whenever possible, client information would be encrypted, and the laptop would always be password protected. Any associate who wishes to have access to the main systems from their laptop must be able to justify the need, and firewall protection is provided. Similar limitations would apply to any paper file. Associates are permitted to take certain files out of the office (such as to deliver files to auditors or examiners in another location), but they are not supposed to take them home if they contain loan documents. Any paper files with client information should be in their personal possession at all times. REMEDY 4 I Mike Murphy, executive vice-president and CFO, First American Bank, $242 million-assets, Purcell, OkIa. We do not have a "poLicy" regarding removal of bank-owned laptops from banking premises, but we do have a "practice" of not putting customer information on the laptops we do have. That information is housed on servers maintained in secure areas of each banking center. Those laptops which we do have are primarily used for training lab purposes. It is interesting you bring this up because we recently had a laptop which was stolen from banking premises. One of the first questions we asked was what was on the laptop. Fortunately, the answer did not include any customer information. ASPIRIN RESOURCES Some of the solutions to laptop security simply require common sense. You don't leave a laptop with sensitive data on it-or perhaps any laptop-in an unoccupied hotel or conference room without some precautions. Some suggest separating the computer from the sensitive data by storing the latter on a removable memory device. One doesn't hear anything about shackling the laptop to the traveler's wrist, though it would certainly make going through airport security interesting. Speaking of the government, the following links have some federal tips on laptop security: physical security, www.uscert.gov/cas/tips/ST04-017.html and data security, www.us- cert.gov/cas/tips/ST04020.html Three categories of products that can address aspects of the lost laptop problem are: encryption software; physical security devices; and laptop tracking software. Please note that these listings appear as a sampling of what's out there, and in no way imply an endorsement on the part of ABA Banking Journal nor the American Bankers Association. Encryption: Some encryption programs are comprehensive, while others offer "a Ia carte" software, with separate products covering encryption of storage media, e-mail, and more. Certain Windows operating systems, as indicated in one of the bankers' answers above, feature encryption of their own. It is up to the bank whether these built-in measures suffice. Further information about Windows- based encryption can be found at www.microsoft.com. Control Break International, Inc., www.safeboot.com Cypherus, Inc., www.cypherus.com Jetico, Inc., www.jetico.com PC-Encrypt, Inc., www.pc-encrypt.com PC Guardian Technologies, Inc., www.pc guardiantechnologies.com PGP Corp., www.pgp.com SafeNet Inc., www.safnet-inc.com Physical security: These devices may include cabling; locks; lockable frames that can prevent a closed laptop from being opened; specialized locks for drives and removable media; barcoded stickers that make it harder to sell stolen laptops to unsuspecting buyers; and more. Some may be packaged with encryption or other security software. Computer security Products, Inc., www.computersecurity.com Compucage International, www.com pucage.com. PC Guardian Anti-Theft Products, Inc., www.pcguardiananti-theft. com STOP (security Tracking of Office Proper ty), www.stoptheft.com Think Products, Inc., www.laplocker.com Laptop tracking: This type of software automatically transmits via the internet to a central location when the laptop is used to go online and reveals where the machine is plugged into the internet. If a machine is reported stolen to the software vendor, the information is reported to local, authorities. Some of these companies offer additional services as part of the package, including the ability to destroy all data on the laptop's hard drive from the vendor's location while the machine is online. One vendor, Absolute Software, Inc., posts a $1,000 guarantee on its website. If they fail to get your missing laptop back, you get the money. Absolute Software, Inc., www.absolute.com CyberAngel security Solutions, Inc., www.sentryinc.com Stealth Signal, Inc., www.stealthsignal. com Trackion, www.trackion.com HEADACHE #2 Data breaches have been much in the news because of recent breaches at major retailers, the new federal mandates regarding breaches connected with bank customer information, and passage of some relevant state laws. Some banks automatically issue new cards to affected customers, while others may do so only on request. How has your bank handled this and what kinds of costs have you faced? REMEDY 1 Gordon L. Gentry, Jr., chairman, TowneBank/Peninsula, $1.5 billion-assets, Newport News, Va. In the last two years, we have re-issued certain credit cards due to notification by MasterCard that merchants have experienced a data breach. While not a massive number, the expense-estimated to be several thousand dollars-is one we would not otherwise have encountered. REMEDY 2 Jon Rohlfs, assistant vice-president and security officer, First State Bank and Trust, $156.1 million-assets, Fremont, Neb. First State Bank & Trust Co. has been affected by the recent breaches at third-party processors. We have chosen to close all cards that were involved with these breaches, so we have incurred a cost of reissuing new cards ($2.50 per card), as well as the time spent doing so. Copyright Simmons-Boardman Publishing Corporation Aug 2005 _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Mon Aug 15 2005 - 03:37:27 PDT