Contractors and Laptops

When businesses entrust highly sensitive information (e.g., non-public information of a consumer or valuable trade secret information) to their consultants, a best practice is to preclude the consultant from storing any of the information on its laptop computers.  The risk is simply too great a compromise of the laptop will lead to the business being featured in yet another front page story involving data loss. 

In some instances, precluding consultants from using laptops may not be practicable.  The consultants may need the ability to quickly move from site to site or within large facilities while having easy and constant access to their data and applications.  While the size of some engagements may justify providing consultant personnel with laptops furnished by the company (i.e., laptops the company has confidence are adequately secured, even in the event of loss), most engagements will not support the additional expense.  Rather, if laptops must be used, they will be furnished by the consultant.  In such cases, appropriate protections should be included in the company’s agreement with the consultant to ensure data is adequately protected and the risk of unauthorized access minimized: 

• The USB ports, CD Drive, and other ports on the laptop should be disabled.
• Internet access should generally be precluded.
• Wi-Fi access should be through approved secured means.
• The hard disk must be encrypted.
• Strong authentication should be required for access to the laptop (e.g., biometric authentication).
• Designated security software (e.g., firewall, anti-virus, anti-malware, etc.) must be installed on each computer.
• The agreement should set forth specific requirements for secure and irreversible erasure of data on completion of work (e.g., methods at least as protective as the DoD 5220-22-M Standard).
• Restrictions should be included regarding the vendor’s ability to have any laptops serviced or any components replaced without appropriate protections in place to ensure data is secured.
• Strict limitations should be included regarding the applications that can be installed on the laptop.
• Each laptop should include tracking software in the event of loss and the ability to remotely erase the entire contents of the hard disk.
• The contract should require immediate reporting of any instance in which the security of the laptop is compromised, including instances in which the laptop is out of the consultant’s control for any material period of time.
• In the event any breach of security or confidentiality by the consultant requires notification to a consumer under any privacy law, the contract should make clear the company has sole control over the timing, content, and method of notification and consultant should be required to reimburse the company for its out-of-pocket costs in providing the notification.

 While no list can be exhaustive, the foregoing protections can substantially reduce risks that may arise when consultants must have the ability to store sensitive information on the laptops of their personnel.