Special Topics in Safety Management

Securing Your Organization’s Portable Electronic Devices


With increasing frequency, confidential business and personal information is stored on portable electronic devices such as laptops, personal digital assistants, removable disk drives, memory cards, and the like. Along with this trend has come a spate of highly publicized security breaches involving the loss or theft of equipment containing customer records, Social Security numbers, driver’s license numbers, and more. Could your organization be next?


If concerns about your organization’s reputation and bottom line are not enough, keep in mind that many state laws require companies to report the disclosure of confidential personal data. To guard against the liability for such disclosures and to manage the risk, companies are adopting security policies specifically for portable electronic devices rather than relying on a general security policy.


The Legal Landscape


If you think a portable electronic devices security policy is a “nice to have” rather than a “must have,” consider these compelling legal reasons noted by BLR’s Essential Safety Policies:


  • Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires plan administrators for group healthcare plans to take steps to secure medical information.

  • Americans with Disabilities Act (ADA). The ADA requires an employer to maintain medical information about employees in confidence.

  • Family and Medical Leave Act (FMLA). The FMLA requires an employer to maintain medical information about employees in confidence.



How does your portable electronic devices security policy stack up? Do you even have one? If not, don’t fret. We do, and it’s already written and ready to use, along with every other safety policy you’re likely to need, in BLR’s Essential Safety Policies. Examine it at no cost and with no obligation to purchase. Find out more.





  • State unemployment laws. Generally, state employment laws require unemployment information to be maintained in confidence.

  • State workers’ compensation laws. Generally, state workers’ compensation laws require that workers’ compensation matters be maintained in confidence.

  • Disclosure of data breaches. Many states now require companies to disclose any security breaches of their databases. This may include information stored on portable electronic devices.

  • Identity theft. Employees or customers may sue a company for negligence in connection with identity theft as a result of lax security procedures for personal data.

  • Discarding personal data. Federal and state laws may require the proper disposal, i.e., the destruction of, personal data before it is discarded.

  • Disclosure of private facts. When a portable device containing personnel information is stolen, and the information is then publicized, the employee may be able to sue for publication of private facts.


Points to Cover


In drafting a personal electronic devices security policy, some of the points you should cover, according to Essential Safety Policies, include:


  • Encryption. Require encryption of all data on portable electronic devices such as mobile computers or devices that carry confidential records.

  • Pass phrases. Instead of passwords, require the use of pass phrases containing letters, numbers, and symbols. Require changes in pass phrases periodically.

  • Authentication. When using a portable electronic device for remote access, require a two-step authentication where one of the steps is provided by a device separate from the device gaining access. When accessing the portable electronic device alone, also require a two-factor step: (1) a user name and a pass phrase to turn on a laptop and (2) a user name and pass phrase to access encrypted data on the laptop.

  • Wireless networks. Secure wireless networks with firewalls and passwords.


Get the safety policies you need without the work. They’re in BLR’s Essential Safety Policies program. Try it at no cost and no risk. Find out how.





  • Storage. Use a cable lock for laptops and place them and other portable electronic devices in locked storage when not in use.

  • Timeout function. Use a “time-out” function for mobile devices requiring user reauthentication after 10 minutes of inactivity.

  • Identification. When feasible require that the portable electronic device be marked as property of the company.

  • Records. Require the Information Technology (IT) department to record the model number and serial number of all portable electronic devices and store digital photographs of each device.

  • Logs. Automatically create a log for access to the portable device and a log for accessing the confidential data on the portable device.

  • Copying. Allow copying or extracting access only with two-factor authentication.


Tomorrow we’ll look at additional points to cover and other considerations in creating a personal electronic devices security policy.

Print

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.