The Office of Inspector General (OIG) report on this matter is intriguing. It describes how the Special Agents used decoy laptops in the same area where the DOT laptop was stolen to see if the thief, or thieves, would strike again. It is not clear if those arrested were the same ones that actually stole the laptop, but they admitted to stealing laptops in the area. The number of individuals involved was 133,000.

A couple of interesting excerpts from the OIG report:

"Our continuing investigation has shown with a high degree of confidence that the two laptops were not stolen to exploit the data for identity theft. There has been no credit fraud resulting from the theft of either laptop and based on our investigation to date, we believe that the risk of credit fraud in the future is very low."

If the personally identifiable information (PII) on these computers gets into the hands of someone who chooses to exploit the data for crimes, it will be very easy for them to do even if the original thief did not steal the computer for that reason.

"The second development is that we contracted with an Identity Risk Management company to review SPII data for almost 133,000 individuals on the Miami-area laptop and almost 9,500 individuals on the Orlando laptop (those same 9,500 individuals were also on the Miami-area laptop). The review found no indication that the data had been misused as of November 13, 2006. OIG will continue to receive periodic reports on whether there is an indication of suspicious activity that involves organized misuse of SPII from the laptops.

We awarded a contract to ID Analytics, Inc., of San Diego, California, to provide data breach analysis services to determine whether SPII for the approximately 133,000 pilots, commercial truck drivers, and individual drivers’ license holders in Florida was being exploited. This firm has developed proprietary software to monitor identity activity to determine whether identity theft is occurring in an organized way (indicating that stolen data is being exploited) and identifying how the data is being exploited (assisting investigators in apprehending the criminals). It has access to real-time identity fraud information, including data from leading companies that gather information from applications for credit, change of address, and other identity risk information. The companies include six of the top 10 U.S. banks, almost all major wireless carriers, and leading retail credit card issuers."

NOTE: SPII = Sensitive Personally Identifiable Information. The "S" is typically not included, since most PII is considered sensitive and can be used for fraud and other crime.

Criminal activity involving PII can occur many months after the PII has been taken, and by criminals who are far removed from the original thief.

The report references a very interesting Office of Management and Budget (OMB) memo, "Recommendations for Identity Theft Related Data Breach Notification" from September 19, 2006 that contains recommendations to U.S. government agencies for how to determine whether notification is necessary when a breach occurs. I'll give it a thorough read...it may be worth a separate discussion...

For now a few simple lessons that continue with these stolen laptops:

* Do not store entire databases of PII on mobile computing devices.
* Encrypt any PII that must be stored on mobile computing devices.
* Provide ongoing training and awareness to personnel for how to protect PII and mobile computing devices.