By Amy Joyce
Washington Post Staff Writer
Sunday, June 11, 2006
As the public discovered that Social Security numbers and other personal information from 26.5 million retired and active U.S. military personnel were on a laptop stolen from the home of a Department of Veterans Affairs analyst last month, workers who were hoping to pitch their boss on a telecommuting option probably felt their hopes crash.
That breach was followed by the news that personal information was lost on a stolen laptop of a Giant employee. And more with the loss of a laptop by an Internal Revenue Service worker. And from an Ernst & Young worker. And on and on.
Well, in the much simplified words of teleworking experts and IT gurus this week, and without knowing all of the details: If workers are going to work with company data from computers at home, there need to be strict regulations in place. The agreement to take a laptop home can't be casual. And the only way people should be able to gain access to sensitive information is not through a disk or external hard drive (how 1984) but through a Virtual Private Network (VPN) line. Along with many firewalls and complicated log-ins.
This news, however, should not stop companies from allowing teleworking, said Robert Smith, director of the International Telework Association & Council. In fact, he hopes all this news will make organizations better arbiters of how to do so more carefully.
"I think what this might most likely do is really help companies and organizations focus on whether telework should be formal or informal," he said. "When it's informal, not all the policies are set down. It's usually a verbal agreement. That could work well, but making it formal ensures that all aspects of telework are practices that need to be followed."
Obviously, these happenings are not the best news for proponents of teleworking, said Chuck Wilsker, president and chief executive of the Telework Coalition.
But on the upside, he thinks this is going to be the "big wake-up that they really can't do things they aren't supposed to do, and violate security issues." The technologies exist, he pointed out, that allow workers to access a server from anywhere in the world. And then when they disconnect, everything they did stays on the server. "There is no reason to physically take things away to work on remotely," he said.
Recent developments, including crippling hurricanes, terrorism and high fuel prices, have led many companies to offer a telework option, or at least to figure out a way to continue business should something disastrous occur. Now add the flu pandemic to that list, as organizations consider whether teleworking should be a part of their business plans if we get to that point.
Even the president's plan for business continuity in case of bird flu calls on companies to allow (or set up) teleworking options. Companies, and the federal government, need to allow teleworking also as a recruiting tool, said Steve O'Keeffe, executive director of the Telework Exchange, a public-private partnership that encourages such arrangements in the federal government. "Clearly the government is in a situation from a recruitment end that they need more teleworking," he said, suggesting that new workers may choose private companies over the government because they offer more flexible work situations.
But even though the government has been steadily increasing its number of teleworkers, the recent news should make both private and public organizations think hard about policies for working remotely by computer.
"Here, maybe for the first time, we have a screaming example of what can go wrong," said William Nolan, an employment lawyer. "With this particular situation, which is probably the worst-case scenario, it's really a question of [human resources] and tech people working together to make sure your data, your customer's data and employee data is secure."
Companies that allow teleworking should have a short telecommuter agreement, he said. It should give the employer the right to check a person's work space, for instance, to make sure the home office is as secure as a corporate office.
Since VIPDesk, a company that provides call center services for customers, was founded in 1998, most of its employees have worked from their homes. Having people work from anywhere was important to the company, so it could recruit from anywhere, not just within a 50-mile radius of Old Town Alexandria, said Dan Fontaine, vice president of technology. The company employs people as far away as Hawaii.
The company is "definitely concerned" when it hears stories about security breaches, he said. VIPDesk has clients in the financial industry where security, obviously, is key. Every one of its 100 remote employees has to sign in to the VPN to access the system, which is encrypted. The employees then have at least two log-ins that are "very difficult to crack," he said. Once inside, those who have access to certain customers can only see data for those customers. Everyone is required to have an antivirus, which must be running at all times.
Last month's news -- and the subsequent stories of other breaches -- had a rapid backlash, said Ken Siegel, an organizational psychologist. "Most businesses will probably engage in implementation of some restrictive policy," he said.
He likens the current security breach to what prompted the Sarbanes-Oxley Act, which puts pressure on top executives to attest that they have rules in place to ensure financial statements are correct. But Sarbanes-Oxley was enacted only because the government and companies didn't do enough about ethics until it was too late, he said. "Now you have this very repressive, extensive network of laws to make up for a lack of integrity," he said.
Companies need to think preventively and to instill in workers an increased sense of personal responsibility for the care and protection of data, he said. "If I were to be working from home and believe that how I act affects confidential, private information . . . I would behave differently," he said. "From my point of view, it's much more interesting to change people's mentality about this as opposed to what kind of systems we can put in place" to enforce security rules.
(Well, he is a psychologist, after all.)
Join Amy from 11 a.m. to noon Tuesday to discuss your life at work at washingtonpost.com. E-mail her firstname.lastname@example.org, working dads, to voice your working dad Father's Day wish list. Your day's coming.