Oh, come on now! I couldn’t believe I was reading yet ANOTHER report of ANOTHER E&Y laptop that has been stolen recently! ANOTHER stolen from a car…ANOTHER with an unbelievably huge amount of personally identifiable information (PII)…ANOTHER that did not have the data encrypted! C’mon folks! If you are information security or privacy professionals, or business leaders of any kind, you really need to step up your efforts to educate your personnel about the risks involved with using laptops, implement encryption on all mobile computing devices, and not allow such inordinately large databases of personal information to be on mobile computing devices.
It is amazing also that the laptop theft occurred in February, but the E&Y client whose PII was on the laptop, Hotels.com, was not notified until May 3.
The data included names, addresses and credit card information.
"Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor."
Why don’t they just go ahead and enroll all those individuals into the credit monitoring service? Why make the victims have to tell them to do it…it’s likely many of the individuals will not be aware any potential breach has even occurred until they start having problems with their credit reports. Yeah, sure, letters were mailed to them…but how many will be read?
"The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process.""
If you entrust sensitive data, such as PII, to another company, for any reason, you should make it one of your contractual requirements for them to keep the data encrypted. Their sloppy security is probably going to impact you more than them when they have an incident involving it.
Technorati Tags
information security
IT compliance
corporate governance
awareness and training
encryption
stolen laptop
personal data breach
privacy