Yesterday CNN reported the results of the FORTUNE 2007 survey of business people for the companies, in any industry, they admired most.
The rankings were based upon 8 key score areas:
1. Innovation
2. Quality of management
3. People management
4. Financial soundness
5. Use of corporate assets
6. Long-term investment
7. Social responsibility
8. Product/services quality
Nothing here is directly related to privacy or information security. Perhaps they could be considered as part of “social responsibility,” but I doubt if those taking the survey thought about it much.
I wonder, would the rankings have been different if information privacy and security had been an additional key score area?
Perhaps.
Out of curiosity I did a quick check not only within my own database of breach occurances, but also within the Privacy Rights Clearinghouse breach listing, the one on attrition.org and pogowasright.org.
It didn’t take me long to find publicized information security incidents and privacy breaches for many of these companies. However, it was good (I guess, considering the sad state of security in so many businesses) to see that only 9 of the 20 have had publicized incidents. But then, again, that number should have been lower.
The top 3 admired companies HAD experienced security incidents and privacy breaches.
The following shows the rankings of these most admired companies, along with incidents that have occurred with them. Hey, FORTUNE, please include information security and privacy as one of your key score areas next year and see how, or if, your list changes.
Have we become so used to seeing companies experience incidents that it is no longer a factor in our opinion of that company? Or, since this survey was completed by business leaders, would it show that business leaders still are not concerned enough with information security and privacy?
FORTUNE’s Top 20 Most Admired Companies of 2007
1 General Electric
* Sept. 25, 2006 A GE employee’s laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business. 50,000 employees
2 Starbucks
* Nov. 3, 2006 Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. 60,000 current and former U.S. employees and about 80 Canadian workers and contractors
3 Toyota Motor
* August 4, 2006 A laptop belonging to a Toyota contractor and containing personal information of job applicants and employees was stolen. Data included names and SSNs. 1,500 individuals
4 Berkshire Hathaway
I couldn’t find any publicized incidents about this Iowa-based company (cool).
5 Southwest Airlines
I couldn’t find any publicized incidents about this Texas-based company either.
6 FedEx
* Feb. 4, 2006 FedEx Inadvertently exposed. W-2 forms included other workers’ tax information such as SSNs and salaries. 8,500 individuals
* July 25, 2006 A Cablevision Systems Corp.tape en route to the company’s 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. containing info about 13,700 current and former employees
7 Apple
I couldn’t find any publicized incidents about this California-based company
8 Google (NOTE: While finding PII through Google searches is not the same type of incident as the others listed, it demonstrates one way in which Google can be used to perpetuate the accessibility of PII through the nature of its technology. An entry also shows known noncompliance with international privacy laws.)
* October 10, 2006 The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The Florida Labor Department asked Google to remove the pages from its cache, and has notified all affected individuals by mail. 4,624 individuals who had registered with Florida ‘s Agency for Workforce Innovation
* June 24, 2006 Catawba County Schools, North Carolina – 619 students’ Social Security numbers found through Google search
* March 29, 2006 University of Nebraska, Lincoln – Social Security numbers and other information for 342 students archived by Google
* March, 2007 Google cautioned in its annual report that its privacy practices may run afoul of U.S., European, or other state or national data protection laws.”It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our data practices,” the Google annual report said. “In addition to the possibility of fines, this could result in an order requiring that we change our data practices, which could have a material effect on our business,” it said.
* January 22, 2007 Finjan Inc.announced that it reconfirms recent reports that Google have unwittingly exposed private user names and passwords on the Google anti-phishing blacklist, which did not use any access protection. Such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single “web” password for most of their online accounts)
* And many more…but I need to move on…
9 Johnson & Johnson
I couldn’t find any publicized incidents about this New Jersey-based company
10 Procter & Gamble
I couldn’t find any publicized incidents about this Ohio-based company
11 Goldman Sachs Group
I couldn’t find any publicized incidents about this New York-based company
12 Microsoft
* March 27, 2002 Personal information of thousands of job applicants revealed online
13 Target
I couldn’t find any publicized incidents about this Minnesota-based company
14 3M
I couldn’t find any publicized incidents about this Minnesota-based company
15 Nordstrom
I couldn’t find any publicized incidents about this Washington-based company
16 United Parcel Service
* July 18, 2006 Nelnet Inc.computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network 188,000 individuals
* January 11, 2006 UPS lost a People’s Bank back tape with personal data for 90,000 customers while in transit
* June 6, 2006 UPS lost Citigroup tapes and data storage media containing PII on 3.9 million customers
17 American Express
* January 30, 2007 Five laptops were stolen in New York from Towers Perrin, which handles American Express’ benefits programs. 65,400 employees
* May 8, 2006 American Express warned on-line account holders of an unauthorised security pop-up that appears on its home screen. The pop-up tries to steal the personal details of customers and forwards them to remote hackers. In an online warning, American Express said, “Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus.”
18 Costco Wholesale
I couldn’t find any publicized incidents about this Washington-based company
19* PepsiCo
I couldn’t find any publicized incidents about this New York-based company
19* Wal-Mart
* December 12, 2005 Sam’s Club/Wal-Mart Exposed credit card data at gas stations. Unknown number of indivduals impacted
* March 5, 2007 Wal-Mart fired an employee who was monitoring telephone conversations and intercepting text messages and pages.
* October 11, 2006 A Boone, Iowa woman sued her hometown Wal-Mart for printing confidential information relating to her medical history on the back of school supply lists and distributing them to customers in late July.
Tags: awareness and training, cybercrime, identity theft, Information Security, IT compliance, policies and procedures, privacy, privacy breach, regulatory compliance, risk management, stolen laptop