My list of laptops stolen or lost keeps growing.  Everyday I find a report (no I have not been blogging about each instance, but they are added to my list), but this one was noteworthy.  A Fidelity Investments laptop containing confidential information on around 200,000 of their customers, those in HP's pension fund and 401K, was stolen on March 15th.   

"Fidelity says there is no evidence that the data has been misused."  There is rarely evidence within 8 days that bad people are doing bad things with confidential personal information.  The smarter bad people typically wait a while, or do bad things in ways that are not readily identified...usually taking advantage of poor security practices within the various organizations where they want to use the personal information fraudulently.

These incidents continue...why can't organization's learn from the mistakes and incidents of others?  Why do companies allow clear text confidential information to be stored on mobile computing devices that have already been demonstrated to be easily lost and stolen?  Probably to save money...and because no law specifically requires them to, verbatim, "encrypt data on mobile computing devices."  I have heard too many lawyers within organizations say that if the letter of the law does not specifically require a safeguard such as encryption, then they should not do it if it will save the company money.

"It is unusual to have so much information on one laptop, Fidelity spokeswoman Anne Crowley said, but the computer in question was brought to a business meeting by a team of employees."

What does this mean?  No one was accountable?  A group of people are sharing a laptop...why?  Probably to save money.  No accountability to any one person for the security of the laptop that way, either.

"William G. Duserick, vice president and chief privacy officer for Fidelity, recommended in a letter to Hewlett-Packard participants that those affected remain vigilant for the next 12 to 24 months, regularly review account activity and obtain a credit report from one or more of the national credit reporting companies, according to the Worcester Telegram & Gazette, which obtained a copy of the letter." 

So...instead of the company being vigilent and implementing proper security, it is easier to ask the impacted customers to be vigilent.  It is also pretty sad that they are not even purchasing the credit monitoring service for those impacted...I guess that *is* another cost savings, though.  Maybe they will, but you would think this significant tidbit would have been reported.

"Fidelity said the license to the software that contained the data has expired and, as a result, the scrambled data is difficult to interpret. The data is also in a form that is generally "unusable," Fidelity said." 

Well, so many things to say about the expired license issue, but that's a different topic...

Similar cop-out statements like this are increasingly being used when mobile computing devices are lost and stolen.  The data was not encrypted, it was "difficult to interpret."  If the software used with it is something widely available, then it will likely be very easy to access.  However, it was not reported what software was used, so we don't know. 

*  Implement security for mobile computing devices
*  Strongly encrypt data on the devices
*  Train people how to protect the devices

Oh, yes, and don't have group laptops...that's an incident waiting to happen.

Technorati Tags
stolen laptop
privacy breach
privacy
fidelity incident
encrypt