should take to ensure that they have met the minimum standard of care related to protecting sensitive data contained on laptops or other mobile devices. These security measures include:

• Protecting information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.
• Implementing advanced security measures such as Remote Laptop Security and laptop encryption.
• Ensuring that all important data contained on the laptop is backed up.
• Using physical security measures like locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
• When leaving a laptop in the office, make sure it is hidden and secured.
• Keep your laptop in an inconspicuous case. Flashy cases expose your computer by attracting thieves’ attention. A simple padded messenger bag can suffice as a protective container.
• When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.33

The Ernst & Young laptop theft in Miami could have been prevented if employees had followed these simple instructions. Furthermore, the companies whose data was stolen could have easily identified the compromised data if the companies regularly backed up the information contained on the laptops. Finally, all of the information could have been protected if it was encrypted. Only 65 percent of the Ponemon survey respondents claimed that their organizations utilize encryption to protect information.34

Interestingly, while most organizations that participated in the Ponemon survey indicated that the organization had a response process in place to deal with stolen or lost laptops, the organizations did not have a similar process for lost USB memory sticks.35 To reduce potential liability related to security breaches, businesses should adopt
all-encompassing practices to ensure that it quickly and effectively responds to any potential data loss or exposure.

V. Using Insurance Coverage to Mitigate Risk

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks

associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:

• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.

Many companies face tremendous negative publicity after they experience a data loss or security breach. New corporate identity theft insurance policies will also assist with the costs associated with defraying damage to the company’s reputation following a security breach. The insurance coverage will provide crisis management and reimbursement for public relations expenses.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection is a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs of post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

VI. Conclusion
Obviously, it is important for companies to protect their valuable data, including the confidential information of their customers and employees. Recent cases have indicated that in the current world of mobile technology, safeguarding data may be difficult. To minimize potential liability, companies should proactively monitor their security policies, encrypt their data, and report breaches as required by state law. Companies should also consider purchasing insurance coverage to protect them in the event that their data is stolen or lost. continued, page 5 »