Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Virginia Law Gives All Higher Education Student Names, Birthdates and SSNs to State Police | Main | Security Incidents Inundating the News Today »

Irony: Two FTC Laptops Stolen From Car...An Unfair and Deceptive Business Practice?

Earlier this month the AICPA, proponent of good privacy programs and creator of a privacy management methodology (actually apparently built around OECD privacy principles) reported that it did not remove personally identifiable information (PII) from a hard drive they sent to an outside repair shop, and the drive was subsequently stolen.  Irony.  Someone within their organization was not following their own advice (yep, human nature...and possibly lack of awareness and training...at work).

Today it was reported that two laptops were stolen from the car of an FTC employee that contained PII about 110 individuals.   More irony.

"The information includes individuals' names, addresses, Social Security numbers, birth dates, and "in some cases, financial account numbers," the regulatory agency said this week."

"The analyst had violated a department security policy by taking home the sensitive data. The incident prompted calls for all government agencies to adhere more closely to the Federal Information Security Management Act."

It makes you wonder, will a regulatory oversite agency such as the FTC fine itself?  Appears they need to beef up their information security program.  Should they require themselves to have independent, 3rd party audits for the next 20 years?  Should they require an extensive list of information security and privacy actions to be implemented?  Well, okay...I'm being facetious...but this really is ironic...the agency that is constantly scolding businesses for lax security...WHICH IS A GOOD THING; WE NEED AGENCIES THAT UPHOLD THE LAWS AND BUSINESS PROMISES...now experiences an incident.  This is the type of situation all CISOs and CPOs have nightmares about...trying as hard as the can to have a good program, and then having a hugely publicized incident occur as a result of one person's lack of knowledge about security, or carelessness, or whatever other excuse can be attributed.

The FTC actually did provide information about this event on their website:

"Commission Notifies Individuals of Theft

The Commission today announced it is notifying approximately 110 individuals that two FTC laptop computers, one of which contained some of their personally identifiable information, were stolen from a locked vehicle. The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops. The personal information was gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers. The letters being sent to the individuals, some of whom are defendants in current and past FTC cases, explain the type of information about that individual that may have been on the laptop, and the steps the individuals should consider taking to limit their risk of identity theft. The FTC will offer these individuals one year of free credit monitoring.

The FTC’s Inspector General has been notified and is investigating the theft. The local police department, as well as appropriate federal law enforcement agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, also have been notified."

Well, their information within the message certainly is lacking...they are using statements similar to the ones that they have scolded other organizations for using...such as, "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops."  Come on, now...it would have been much more effective to just say, look, we made a mistake.  We should have ensured all the PII on our mobile computing devices were encrypted.  We were silly not to.

The fact there were "several thousand files" contained on the laptops is pretty  much irrelevant; it takes just a few seconds to a few minutes to do a search using the native OS utilities to find data within any of hundreds of thousands of files.

Most of the individuals whose PII were compromised were defendants in current cases.  What would REALLY be ironic is if they were defendents in laptop theft cases!  :)

Technorati Tags









 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 23, 2006 6:35 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/111

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.