Mobile liability.
Subject: Smart phones (Usage)
Smart phones (Safety and security measures)
Data security (Management)
Laptop computers (Usage)
Laptop computers (Safety and security measures)
Notebook computers (Usage)
Notebook computers (Safety and security measures)
Author: Gross, Bruce
Pub Date: 06/22/2009
Publication: Name: Annals of the American Psychotherapy Association Publisher: American Psychotherapy Association Audience: Academic; Professional Format: Magazine/Journal Subject: Psychology and mental health Copyright: COPYRIGHT 2009 American Psychotherapy Association ISSN: 1535-4075
Issue: Date: Summer, 2009 Source Volume: 12 Source Issue: 2
Topic: Event Code: 260 General services; 200 Management dynamics Computer Subject: Smart phone; Data security issue; Laptop/portable computer; Company business management
Product: Product Code: 9916270 Data Processing Security SIC Code: 3571 Electronic computers
Geographic: Geographic Scope: United States Geographic Code: 1USA United States
Accession Number: 218314002
Full Text: Mobile devices such as laptop computers, flash or thumb drives, personal digital assistants (PDAs) or palmtops, smartphones, and cell phones have become an integral part of the professional lives of working Americans, including mental health practitioners. Despite the emphasis on security and confidentiality across industries, since 2005 more than 250 million files that contained confidential or sensitive information regarding clients, customers, and employees have been lost or stolen (Ponemon, 2009). The greatest source of this security breach is from the theft or loss of well over one hundred thousand laptops each year. According to the Federal Trade Commission (FTC), airports are the most frequent place from which laptops are stolen, followed by hotels and then parked cars (FTC, 2008).

[ILLUSTRATION OMITTED]

Laptops Lost and Found

In a survey of 36 large- and 70 medium-sized U.S. airports, travelers lost more than 12,200 laptops per week (Ponemon, 2008). Approximately 10,200 of those were lost in major airports, including 1,200 per week from Los Angeles International, 1,000 from Miami International, 900 from John E Kennedy International, and 825 from Chicago O'Hare International. With 70% of travelers feeling rushed and 69% feeling they were carrying too many items, it is not surprising that 40% of laptops were lost or stolen at security checkpoints and 23% were left or taken from departure gates.

Of those laptops that are taken to the airport's Lost and Found department, only 33% are reclaimed (the rest are kept in the department until they are disposed of). Over 53% of people who travel with their laptop admit it contains confidential or sensitive information; yet 65% of those do nothing to protect or secure that data and 42% never back up their files. Forty-five percent (45%) of travelers use a sign-on password as their only form of security and a shocking 34% have no idea if their laptop even bas any security features. Although more than half of travelers worry about losing their laptop, about the same number asks a fellow passenger to watch their laptop while they run to do or get something.

The lack of attention given to securing the confidential data stored on laptops is in stark contrast with the professional standards set for mental health professionals regarding client records. Password protection is certainly a step in the right direction, but it can be bypassed easily, even by "non-hackers." The same is true of individual file encryption, which does not address the vulnerability associated with temp files, hibernation files, or erased files. Full-disk encryption offers far greater security, and most applications have the added benefit of extending encryption to all removable and portable media (external hard drives and flash drives) and also include components that allow for complete erasure of deleted files.

[ILLUSTRATION OMITTED]

Although there are programs that break encryption codes, it requires a degree of determination that the average laptop thief might lack. A potentially safer alternative to keeping client records on a laptop is to store them on an encrypted external drive. There are HIPAA compliant file storage providers that offer the service at reasonable rates. While more laptops are coming with built-in global positioning systems (GPS), tracking devices can be installed in laptops that locate the stolen laptop if or when the thief connects to the Internet. There are also software programs that allow the owner of a lost or stolen laptop to shut it down remotely and erase the hard drive. It should go without saying that, to reduce the risk of theft of a laptop that contains confidential information, it should never be left in an unattended car.

Theft of a laptop can prove devastating not only to the owner, but potentially to the owner's employer and the clients or customers whose confidential information is breached or at risk of being breached. Earlier this year, the Department of Veterans Affairs agreed to pay a 20 million dollar settlement in a class action lawsuit filed by veterans over the risk of potential identity theft. (Legal documents related to this case are available online at www.veteransclass.com.) The case arose from the 2006 theft of a laptop that contained the confidential identifying information of numerous veterans from the home of an employee of Veterans Affairs.

The lawsuit asked for $1,000 in damages for every veteran whose information was at risk. The settlement allowed for a minimum of $75 and a maximum of $1,500 for each valid claim for out-of-pocket expenses that were the direct result of the theft. This was approved even though the laptop was recovered by the police and forensic investigators were able to determine that the criminals had not accessed any of the confidential data. The settlement essentially acknowledged that clients can be wronged without being harmed.

Dropped Calls

According to the Cellular Telecommunication and Internet Association (an international association for the wireless telecommunications industry), as of December of 2008, there were 270.3 million wireless subscribers in the U.S, representing 87% of the total U.S. population (CTIA, 2009). Cell phone owners used 2.2 trillion minutes of airtime in 2008 and sent 110.4 billion text messages per month.

Stolen and lost mobile devices--including cell phones, PDAs, and smartphones--result in the loss of more confidential and sensitive data than any other type of security vulnerability and breach (Ponemon, 2009). Most cell phone and virtually all PDA and smartphone owners, including mental health professionals, store identifying information of personal and professional contacts in their mobile communication devices. The phone book or contact lists in cell phones range from 5 to 2,000 entries, with the average available size being 510 listings (that of PDAs is significantly larger) (Reviewgist, 2009).

In addition to sensitive client information, more than one-third of PDA users store account passwords and PIN numbers in their device and do not protect the data by using the PDA's password function (ZDNet, 2003). Fifty-seven percent (57%) of users do not encrypt any of the data stored in their PDA. As with laptops, failing to utilize protection and security functions in cell phones, smartphones, and PDAs leaves the professional at risk of potentially violating client confidentiality should the device by lost or stolen.

The most common place for mobile communications devices to be lost is in taxicabs (40%), followed by restaurants, bars, and nightclubs (20%) (Ponemon, 2009; ZDNet, 2003). According to the April 3, 2007, edition of the New York Times, during a 6-month period in 2006, approximately 8,700 mobile devices were left in taxis in the Washington-Baltimore area, and around 3,100 were left in taxis in the San Francisco-Oakland area. That is next-to-nothing compared to the more than 85,000 cell phones and 21,000 PDAs that were lost in Chicago taxis in 2004 (FTC, 2008; Biba, 2005).

Cell phones and PDAs can be lost or stolen from anywhere, and with the growing number of industry-specific applications, employees regularly and literally carry their work with them wherever they go. An example of this software is MedShare for Blackberry, an application that allows community healthcare workers immediate access to schedules and client records.

For a variety of seemingly valid reasons, many psychotherapists keep their clients' contact information in their cell phone. One such therapist is facing the emotional, ethical, administrative, and legal consequences of doing so. After it was either lost or stolen, the therapist's cell phone ended up in the hands of a man who used it to make random calls to people in the phone's address book. The man soon became obsessed with one of the women in the list, a woman who happened to be one of the therapist's clients. The telephone harassment rapidly escalated to stalking and resulted in a brutal rape, all before the therapist notified anyone the phone had been lost.

Cell-Spies

Cell phones have become as commonplace as watches, but they are basically miniature computers. As with computers, the more complicated, advanced, or "smart" the phone, the more ways the privacy of the information it contains may be compromised. In fact, with increasing frequency and ease, cell phones are being used as a way to "spy" on people. Devices that look like cell phones but are actually listening devices or interceptors are readily available on the Web. For the "do-it-yourselfers," simple instructions for making your own interceptor with a metal bowl, a television remote control, and a basic microphone can be found on YouTube. Because Bluetooth devices use short-range wireless connections between the headset and the cell phone, communications are especially vulnerable to interception.

A number of software programs are available (such as FlexiSpy) that, when installed on the targeted phone, allow the spy to hear both ends of all incoming and outgoing calls, read all text messages, see all graphics, track visited Web sites, and access all of the information stored in the phone's memory and subscriber identity module or SIM card. In addition, the software includes a global positioning system (GPS) function. The spy can call in to the target phone at any time (without the screen lighting up or the ringer sounding) and activate the mouth piece to serve as a microphone, whether the cell phone is on or off; activation results in the phone picking up conversations from a wide radius around the phone and transmitting them back to the spy's phone.

Similar applications provide the user with the same features, but they do not require access to the target cell phone. The program is downloaded into the spy's cell phone and within minutes the spy will have access to the cell phone of the person to be "bugged" or "tapped." Referred to as a "roving bug," it was used very successfully by the FBI to bring down the Genovese family, part of organized crime in New York. (See: U.S. v. Tomero et al., No. S2 06 Crim. 0008 [LAK], Nov. 27, 2006.)

As part of what proved to be a 3-year investigation, the FBI placed bugs in the four restaurants where the suspects regularly met to conduct "business." Ever suspicious of being detected by law enforcement, some 7 months after the bugs were set up, they were discovered by the suspects. In response, the family began meeting in a countless array of locations, most of which were impractical or impossible to bug. As such, the FBI requested and was given approval to install a "roving bug" in the phones of two key suspects.

Without ever having access to the actual phones, the "roving bug" allowed the FBI to hear every call made to and from the cell phone, as well as every conversation that took place near the phone (whether it was on or off). Understandably, the defendants objected to the "roving bug," claiming it was a violation of their right to privacy, amongst other complaints. However, in early December 2006, U.S. District Judge Lewis Kaplan ruled that the bug was legal under the federal wiretapping law.

"Roving bugs" are available for use not just by law enforcement, but also by the general public, including suspicious spouses, distrustful parents, and "auditory voyeurs." While they are virtually undetectable by the target, there are a few things that suggest a cell phone might be bugged. One indicator is rapid draining of the battery. This happens because the cell phone may be working as a microphone when the owner has turned it off. Another sign of possible bugging is when a cell phone gets warmer than usual between calls or when it is turned off. While cell phones normally get warm during calls (especially long calls), they should not be warm when not in use. Finally, occasional pulsing-buzz interference is normal during calls and texting, but continuous buzzing (especially when idle) is not.

Cellular Security

As mentioned above, although virtually any cell phone can be bugged, the more complicated the phone, the more vulnerable it is to software downloads that remotely activate the microphone. There are several "safeware" applications that protect cell phones, smartphones, and PDAs from "spyware." Similarly, there are programs that protect the information contained in mobile communication devices in the event the device is lost or stolen. An example of this software is Pretty Good Privacy (PGP), which allows the user to encode confidential data on the device to which it is downloaded.

While not a readily mobile communication device, Voice-over Internet Protocol (VoiP) phones are extremely difficult to bug because of the density of their encryption. For example, the encryption algorithm used in Skype is far more complex than that used for processing credit cards. This high level of security that is reinforced by the unwillingness of VoiP service providers to reveal their encryption program to law enforcement makes it a favorite means of communication for criminals. In fact, the National Security Administration is allegedly offering a sizable reward to the hacker who is able to break the encryption key.

Criminals are also benefiting from simple cell phones behind bars. Although they are considered contraband in jails as well as state and federal prisons, cell phones are quickly becoming one of the biggest security risks in detention facilities. Inmates are using them to arrange escapes, organize riots, order assaults on other inmates and correctional officers, communicate between prisons, and to orchestrate gang activity on the outside, including hits on witnesses. The major benefit to inmates in using cell phones is that they are able to have completely unmonitored and uncensored communication.

Cell phones are being brought into jails and prisons by every means imaginable. In Brazil, inmates arranged to have cell phones dropped into a prison in pieces by carrier pigeons (Associated Press, 2009). In 2008, one California prison guard managed to earn over $100,000 by selling cell phones to inmates for anywhere from $100 to $400 per phone. A few states are using specially trained dogs that have proven more effective at detecting hidden cell phones than any other method. Prison officials in several states have requested special permission from the Federal Communications Commission to use jamming devices, which are otherwise illegal in the US. The problem with using jamming devices is that they interfere with emergency equipment and block authorized calls.

Professional Responsibility

The professional codes of ethics do not and should not deal with specific pieces of technology. Maintaining confidentiality and protecting client privacy is foundational to psychotherapy, and the potential risks to confidentiality associated with lost or stolen laptops, flash drives, PDAs, and cell phones are well-known. Just as ignorance is not a defense against violation of a law, carelessness and laziness are not an excuse for violating professional ethics and responsibility.

Should a therapist's laptop or cell phone be lost or stolen and a client's confidentiality violated, the therapist must be able to demonstrate they did everything reasonably possible to secure the device and the information therein in order to minimize liability.

While no method is 100% foolproof, there are several things that can be done to greatly reduce the risk of a breach if confidential information must be held in the device. For example, antivirus software can be downloaded to most cell phone models and should be updated regularly. When not in use, Bluetooth headsets should be turned off and the battery should be completely removed from cell phones. If you suspect any type of problem or interference with your device, contact your service provider immediately for advice.

The use of electronics in therapy should be included in the informed consent form and discussed with every client in the initial session. The information should include what electronics are used and why, the potential risks to confidentiality each device presents, as well as every protective measure and security feature utilized. In the event a therapist's mobile device is lost or stolen, they should inform their service provider and employer immediately. Every person whose identifying confidential information was kept in the device should be told of the breach as soon as possible. The potential risk to every client's confidentiality should be documented, including why any clients might not have been informed. Contacting clients in a timely manner is imperative from a legal and ethical perspective. In the Veterans Affairs case, Congressional hearings were held and officials were fired not merely because of the theft but because of the Department's delay in notifying the veterans involved.

It is equally important that a report be filed with law enforcement as soon as one learns their mobile device has been lost or stolen. The Ponemon Institute has found that the faster the loss of a laptop is reported, the lower the average cost associated with the loss (Ponemon, 2009). In business, if a company learns about the loss the same day it happens, the average cost is approximately 59,000. If it takes the employee more than one week to disclose the loss, the average cost rises significantly to approximately $116,000. Encryption reduces that cost by more than $20,000.

Most people only think of the cost associated with the loss of the equipment itself, with little consideration given to the short-and long-term costs associated with the loss of the sensitive or confidential information it held (Ponemon, 2009). Yet more than 80% of the cost is related to the consequences of the lost or stolen data. Ironically, and despite availability, half of all laptop, PDA, and cell phone owners do not insure their equipment (Ponemon, 2009). Only 2% insure the information they hold.

References

Associated Press (AP). (2009). Pigeons smuggle cellphones into Brazilian prison. USA Today Retrieved from http://www.usatoday.com/news/world/2009-03-31-brazil_N.htm

Biba, E. (2005, February 17). Lost your cell phone? Call a cab! PCWorld. Retrieved from: http://www.pcworld.com/printable/article/id,119702/printable.html

Cellular Telecommunications and Internet Association (CTIA). (2009). Wireless facts. Retrieved from http://www.ctia.org/advocacy/research/index.cfm/AID/10323

Federal Trade Commission (FTC). (2008). Laptop security. OnGuard Online. Retrieved from http://www.onguardonline.gov/topics/laptop-security.aspx.

Ponemon, L. (2008). Airport insecurity: The case of lost & missing laptops. Traverse City, MI: Ponemon Institute.

Ponemon, L. (2009). Fourth annual US cost of data breach study: Benchmark study of companies. Traverse City, MI: Ponemon Institute.

Reviewgist. (2009). Cell phone reviews. Retrieved from http://www.reviewgist.com/cell-phone-reviews

ZDNet. (2003). Careless PDA users threaten corporate security. Retrieved from http://www.zdnet.co.uk/misc/print/0,1000000169,2137155-39001058c,00.htm

By Bruce Gross, PhD, JD, MBA, FACFEI, DABPS, DABFE, DABFM, FAPA

Bruce Gross, PhD, JD, MBA, FACFEI, DABPS, DABFE, DABFM, is a Fellow of the American Psychotherapy Association and is a regular columnist for Annals of the American Psychotherapy Association. He has been a member since 1999.
Gale Copyright: Copyright 2009 Gale, Cengage Learning. All rights reserved.