The Boston Globe reported Tuesday that “Ameriprise Financial Services Inc. will pay $25,000 to settle a probe of how one of its laptop computers went missing with the personal data of thousands of Massachusetts residents.”
An Ameriprise Financial Services laptop was stolen in 2005 that contained clear text personally identifiable information (PII) about over 200,000 individuals.
Although the company had a policy requiring such data to be encrypted, the employee did not follow that policy and was subsequently fired.
The laptop was recovered, “and there have been no reports of harm.”
Ameriprise did not pay for credit monitoring for the individuals impacted. Considering it will cost on average $12 – $15 per month per each individual to subscribe to a credit monitoring service, if each of the 200,000 individuals subscribed for one year it would cost them a collective $28.8 million – $36 million, plus their personal time to address the associated issues. Organizations where breaches have occurred can work with the credit reporting agencies to get a better rate when they provide the service for the individuals, but it would still be a significant cost. Certainly considerably more than the $25,000 settlement with the State of Massachusetts.
Even though it is good that a fine has been applied, it seems a token amount. Reportedly this is the first time a fine has been applied by a regulatory agency for not having safeguards for PII on a laptop that was stolen. Since this was applied by a state, I wonder, couldn’t the FTC still apply a fine, and make it more significant to demonstrate the importance of ensuring security of PII stored on mobile devices? It seems there would be a Gramm Leach Bliley Act (GLBA) violation here, and also an FTC Act violation.
Ameriprise “also will pay for an independent review of its procedures.” It is good they are reviewing and updating their procedures. However, this will be a comparatively insignificant cost. Hopefully it will prevent other incidents.
Where is the $25,000 “settlement” going? It’s being paid to the State of Massachusetts to cover the cost of the investigation, according to another report.
Some Lessons Learned:
* Strong procedures and controls are necessary to support policies. It is good Ameriprise had a policy requiring encryption on laptops, but without effective procedures and tools to support the policies security incidents will occur, as they did here.
* Sanctions must be applied consistently when personnel do not follow policies. Firing the employee who did not follow policy has probably sent a very clear message to other employees that they must follow policy or risk losing their job. Policies must have significant sanctions to motivate compliance.
* Training must be effective and awareness ongoing for the vulnerabilities involved with handling PII and how to reduce the involved risks by following policies and procedures. Did the employee who broke policy even know about the policy? Had he or she received training and ongoing awareness messages about how to protect PII and how to encrypt data on laptops?
* Organizations must have information security and privacy incident response plans in place to prepare for such inevitable events and respond most efficiently. See my Anatomy of a Privacy Breach.
* Regulators must enforce the laws and apply appropriately significant fines and penalties to organizations that do not adequately protect PII. A $25,000 fine may cover the state’s cost for the investigation, but what does it do to help cover the costs for the impacted individuals? Why didn’t they additionally require, at a minimum, credit monitoring service to be provided for those individuals? If organizations knew this was a likely penalty, many more would probably take better and more effective actions to establish strong safeguards to prevent such incidents.
Tags: Ameriprise, awareness and training, data protection, Information Security, IT compliance, laptop theft, personal data breach, policies and procedures, privacy, privacy breach