Earlier this month the AICPA, proponent of good privacy programs and creator of a privacy management methodology (actually apparently built around OECD privacy principles) reported that it did not remove personally identifiable information (PII) from a hard drive they sent to an outside repair shop, and the drive was subsequently stolen. Irony. Someone within their organization was not following their own advice (yep, human nature…and possibly lack of awareness and training…at work).
Today it was reported that two laptops were stolen from the car of an FTC employee that contained PII about 110 individuals. More irony.
"The information includes individuals’ names, addresses, Social Security numbers, birth dates, and "in some cases, financial account numbers," the regulatory agency said this week."
"The analyst had violated a department security policy by taking home the sensitive data. The incident prompted calls for all government agencies to adhere more closely to the Federal Information Security Management Act."
It makes you wonder, will a regulatory oversite agency such as the FTC fine itself? Appears they need to beef up their information security program. Should they require themselves to have independent, 3rd party audits for the next 20 years? Should they require an extensive list of information security and privacy actions to be implemented? Well, okay…I’m being facetious…but this really is ironic…the agency that is constantly scolding businesses for lax security…WHICH IS A GOOD THING; WE NEED AGENCIES THAT UPHOLD THE LAWS AND BUSINESS PROMISES…now experiences an incident. This is the type of situation all CISOs and CPOs have nightmares about…trying as hard as the can to have a good program, and then having a hugely publicized incident occur as a result of one person’s lack of knowledge about security, or carelessness, or whatever other excuse can be attributed.
The FTC actually did provide information about this event on their website:
"Commission Notifies Individuals of Theft
The Commission today announced it is notifying approximately 110 individuals that two FTC laptop computers, one of which contained some of their personally identifiable information, were stolen from a locked vehicle. The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops. The personal information was gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers. The letters being sent to the individuals, some of whom are defendants in current and past FTC cases, explain the type of information about that individual that may have been on the laptop, and the steps the individuals should consider taking to limit their risk of identity theft. The FTC will offer these individuals one year of free credit monitoring.
The FTC’s Inspector General has been notified and is investigating the theft. The local police department, as well as appropriate federal law enforcement agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, also have been notified."
Well, their information within the message certainly is lacking…they are using statements similar to the ones that they have scolded other organizations for using…such as, "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." Come on, now…it would have been much more effective to just say, look, we made a mistake. We should have ensured all the PII on our mobile computing devices were encrypted. We were silly not to.
The fact there were "several thousand files" contained on the laptops is pretty much irrelevant; it takes just a few seconds to a few minutes to do a search using the native OS utilities to find data within any of hundreds of thousands of files.
Most of the individuals whose PII were compromised were defendants in current cases. What would REALLY be ironic is if they were defendents in laptop theft cases! 🙂
Technorati Tags
information security
IT compliance
stolen laptop
FTC
corporate governance
awareness and training
government
data protection law
privacy law
privacy