SURVEY SAYS: How Secure Is Your Participant Data?

June 8, 2006 (PLANSPONSOR.com) - I'm not sure whether it is a casualty of teleworking, having to take too much work home, or just a string of really bad luck - but it's hard to ignore the recent rash of laptop and/or data thefts that seem to be putting sensitive participant data at risk.

More than a third ( 35.48% ) of this week’s respondents said that they already had procedures in place that prevented such exposures (as one noted, In a twisted way, it’s a “luxury” that we can work from home.”), and another 16% said that sensitive participant data “never leaves the premises” (although one reader qualified that response as follows,”for the home office here. However, we have 1,500 independents and 800 career agents across the country, and I know they carry their laptops and information with them when they travel to see their clients. Part of me fears that it is just a matter of time.”

More than a quarter ( 29% ) said they were currently in the process of instituting new procedures.   One noted, “We are undergoing changes as we speak.   We no longer have access to our personal email (e.g., yahoo, hotmail, etc.) so if we were inclined to email data to ourselves, we would have to use company email … and then IT would know about it.   Soon all CD burners, USB ports, etc., — anything that we could use to store data on removable media will be stripped from all company computers.   I understand the reason for it, but it still feels like I’m having privileges revoked.”  Another noted, “there is a lot of grumbling amongst the rank & file at the new procedures, which require the memorization of multiple ever changing passwords to access the various applications that we use on a daily basis.”

Roughly 13% said no changes had been put in place thus far, but that they were being considered (as one said, “(e) not yet, but we should.”   – but another cautioned, “…I am wondering about the effectiveness of such   policies would even matter considering just this morning an employee asked me if it would be ok to e-mail an employee’s personal information – hmmm.”) , and about 6% said if there were changes afoot, they weren’t aware of them.

There were plenty of cautionary notes in this week’s responses, among them:

“But virtually all of our benefit programs are already outsourced and the data is elsewhere and under someone else control.”

“We are not very responsible in this area.   Just this week, we discussed how our boss uses the back side of extra copies of things as scrap paper.   (It’s our method of recycling.)   He was reprimanded by a member of his old-time baseball team for diagramming their positions on a piece of paper that had someone’s social security number on the back.”  

Technology offered a partial solution for some – but not in the way you might imagine:

“Several years ago, with a computer up-date, laptops were disposed of.   It takes an act of Congress to get one now and you’d have to have a pretty damn good reason.   Laptops are mainly used for demo purposes and the programs they have access to are limited only to the demo data.”

“I don’t take home anything with employee name/numbers.   I take home all the reading that comes with the job.   If anyone steals my tax updates, legislative changes or insurance magazines, there is no harm done.   I could get them replaced easy enough.”

“Mostly I avoid bringing anything home,” note another,” as (1) I am tired of working, (2) I can lose anything, or (3) the co.ckatoo eats it.”

But this week’s Editor’s Choice goes to the reader who said, “While I can’t find it in writing, there are unwritten rules against taking home participant data, so people just don’t do it.   Plus the laptops in our department are so old and heavy, no one would want lug around those bricks.   How’s that for low tech security?”

Thanks to everyone who participated in our survey!

Our company has recently increased security protocols & these are being reviewed all the time.   Changes are ongoing.   I believe that this was initially the result of the Choicepoint scandal, but I am sure the laptop thefts have increased concerns.   Employees are warned about laptop security & passwords are changed monthly.   However, there is a lot of grumbling amongst the rank & file at the new procedures, which require the memorization of multiple ever changing passwords to access the various applications that we use on a daily basis.


Sorry I'm a little late... but my answer is - (c) not yet, but considering the issue.   

But I am wondering about the effectiveness of such   policies would even matter considering just this morning an employee asked me if it would be ok to e-mail an employee's personal information - hmmm.


My response is (a).   Very shortly after the publicity from the first incident, they moved very quickly to roll out a new policy that all laptop disk drives need to be encrypted.   This was not a big deal, since, other than a bit more boot-up time, there is absolutely no difference in the use of my laptop.   The other policy change made at this time was a lot more annoying, in that "confidential participant information" is no longer permitted to be saved to the laptop without prior approval from a Vice President.   In light of the encryption, why this second piece is necessary is beyond me.   If the encryption scheme is sufficiently robust, there should be no danger of anyone being able to decrypt it if it fell into the wrong hands.   I assume the latter policy is just so that, in the event any laptops are stolen in the future, the company can tell the media that there should be no issues due to the encryption and no personal information being on the machine or, that any problem is the employee's fault for violating company policy.


(d) This firm, nor any other company I've worked for, has had a policy or procedure for data that leaves work.   I naively hoped that part of being responsible in this profession was the basic common knowledge that this type of information should NEVER be out of sight.   And yes, I'm the person who will take a cumbersome briefcase in to the grocery store just to pick up a gallon of milk.   I guess I just couldn't ever image having to explain to a person (client or coworker) that I thought it was okay to leave their personal information unattended even though I wouldn't ever leave my own SSN, address, pay history, banking information, etc, just sitting in my car (let alone hand it over to airport staff).


(a) -- in fact, we are undergoing changes as we speak.   We no longer have access to our personal email (e.g., yahoo, hotmail, etc.) so if we were inclined to email data to ourselves, we would have to use company email ... and then IT would know about it.   Soon all CD burners, USB ports, etc., -- anything that we could use to store data on removable media will be stripped from all company computers.   I understand the reason for it, but it still feels like I'm having privileges revoked.


My answer is c:   That data never leaves the premises.   At least that is one less thing for me to lose sleep over.


(b)   I believe a scarier threat is a laptop belonging to someone looking for another job - so much proprietary information could be copied prior to departure.


I think (c). Either it's hard copy that goes home or the home computer can "reach out" to work on the computers in the office (mostly our techies). I get work email at home so I can respond to emergencies if I'm able to be on line.   MOSTLY I AVOID BRINGING ANYTHING HOME AS (1) I'M TIRED OF WORKING,

(2) I CAN LOSE ANYTHING, OR (3) THE COCKATOO EATS IT.

(b) - adequate procedures already in place.   In a twisted way, it's a "luxury" that we can work from home.


Survey - yes, changes have been made.   For the most part, sensitive data is accessed through secure websites and information is not downloaded and stored on the laptop.


D.   BUT virtually   all of our benefit programs are already outsourced and the data is elsewhere and under someone else control.   This is probably true of most companies.  O ur 401k is with   Fidelity and when they lost the HP data we heard from them immediately.  A ll of this goes to say that the SSN can no longer be relied upon as the primary means of identifying someone


C, for the home office here. However, we have 1,500 independents and 800 career agents across the country, and I know they carry their laptops and information with them when they travel to see their clients. Part of me fears that it is just a matter of time.


Several years ago, with a computer up-date, laptops were disposed of.   It takes an act of Congress to get one now and you'd have to have a pretty damn good reason.   Laptops are mainly used for demo purposes and the programs they have access to are limited only to the demo data.

My answer is D, not that I'm aware of.

As a payroll and benefits administrator, if I take home a laptop, it doesn't contain any information. All data is accessed through a network or server through my employer. I don't understand why someone would carry around this sort of information. Also, I don't stop at the store on my way home or leave my computer in my car overnight.

My personal belief is; if an employer allows a employee to carry such information and it's stolen, both the employer and employee should face the possibility of heavy fines and jail time. And the people that have their information stolen should be able to sue both the employer and employee as well. There has to be consequences. Oh, I forgot……..no one is responsible for anything in our society anymore. Never mind.


Our response is C which seems to me to be the best solution to the danger of stolen laptops.   As my Dad said in my youth, if you never date a sleazy bum you never have to be worried about ending up married to one.   Not sure that would fly in today's politically-correct world but it was wise advice, and applicable.   If a laptop with personal data never leaves the office, the laptop won't be stolen while it is off-premises.   Of course security inside is another issue altogether.


No changes to policies here.    All the data resides on the company server and you log in via a RSS secureID.   Everyone is told to limit the amount of data actually on the laptop hard drive.


C, for the home office here. However, we have 1,500 independents and 800 career agents across the country, and I know they carrier their laptops and information with them when they travel to see their clients. Part of me fears that it is just a matter of time.

I don't take home anything with employee name/numbers.   I take home all the reading that comes with the job.   If anyone steals my tax updates, legislative changes or insurance magazines, there is no harm done.   I could get them replaced easy enough.


A. Yes, yes, and yes!!   We can't have any participant data on our PC's and we can't even send CD's out to vendors with participant info.   All data must go through VPN's.


think my answer is (b).   While I can't find it in writing, there are unwritten rules against taking home participant data, so people just don't do it.   Plus the laptops in our department are so old and heavy, no one would want lug around those bricks.   How's that for low tech security?


My company thinks b) that adequate procedures are in place.   However, I used yesterday's article on Hotels.com/Ernst & Young as the starting point for a conversation on the issue, and pointed out how   we could do much more to secure sensitive client information and also heighten staff awareness of the risks associated with the laptops they take out of the office every day.   Also, our staff could use more training on the use of password protection and encryption.


We also had a discussion yesterday in our department regarding the types of information that should not be sent as an email attachment.   (I'm on a roll.   My own "awareness" was increased when I   received 2 letters in one week informing me that my name, address and SS# information had been compromised due to issues with stolen computers/laptops - one from my alma mater and the other from the AICPA.)


Our answer is "other".   We are not very responsible in this area.   Just this week, we discussed how our boss uses the back side of extra copies of things as scrap paper.   (It's our method of recycling.)   He was reprimanded by a member of his old-time baseball team for diagramming their positions on a piece of paper that had someone's social security number on the back.   We then went on to talk about how many of the documents we work with have people's social security numbers on them, and the cleaning people (who all appear to be Mexican, don't speak English, and might actually be in "need" of social security numbers) don't hesitate to eat any candy or food we leave out. Could they be helping themselves to social security numbers from the papers we leave out on our desks overnight, as well?   We don't know, and there's certainly no evidence this has happened, but it's something to think about.   Unfortunately, think about it is all we did.

a)   yes.   You know have to take online classes if you have a laptop on a regular basis to make sure you understand the policy.   I almost feel like I am in grade school again with a nun standing over me with a ruler!


No new security changes in light of the recent thefts, but company policy is already very strict regarding confidential data.


Definitely B.   Our company takes customer security very seriously.   We're not even allowed to leave customer information on our desk while we go to the bathroom.   And heaven forbid if you don't lock everything up at night, senior managers check desks and file cabinets to ensure nothing is left out.   As for leaving the company…don't even think about taking anything outside!  


(e) not yet, but we should.  


a) We now only provide NPI to auditors and others without identifying information (SSN, Name, etc.)   Those outside individuals are also not allowed to load the data on their equipment or remove it from our premises.

«