Data-loss disclosure falls short

June 16, 2006

By David Lazarus

Another day, another data leak. Today I bring news of railroad operator Union Pacific, which can make trains run on time throughout California but apparently can't keep track of confidential info affecting its own employees and retirees.

The company recently sent letters to workers acknowledging that an "employee's personal computer" was stolen on April 29. It said the computer contained data for "many" current and former Union Pacific employees, including names, birth dates and Social Security numbers.

No other details were provided.

Before we delve deeper into this latest case of missing info, it's worth noting (yet again) how unacceptable it is that companies believe they can get away with providing the barest minimum of disclosure when employees or customers are exposed to a potentially devastating risk of fraud and identity theft.

State law is clear: Businesses are required to "disclose any breach" of computerized data "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

Merriam-Webster's dictionary is equally clear: "Disclose" means "to open up" or "to expose to view." This differs from "notify," which is defined as "to point out" or "to give notice of."

Yet it has become commonplace when companies experience a significant data breach that employees or customers receive only the briefest notification that an incident has occurred, and almost never a meaningful disclosure of what actually happened.

"We're not getting full disclosure at all," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group. "We never get the gory details."

She said her organization keeps files of letters sent to consumers and company workers whenever a security breach occurs. Nearly all such missives are woefully short on details about what really happened, she said.

"It looks like these letters get lawyered, and the corporate attorneys always believe that the less information they give, the better," Givens said. "They don't want to encourage lawsuits based on negligence."

Union Pacific's letter to workers is definitely from the less-is-more school. It offers no particulars as to where or how the computer was stolen, or why employees' names, Social Security numbers and birth dates were on the hard drive.

James Barnes, a Union Pacific spokesman, told me at first that he couldn't go beyond the contents of the letter. "We're trying to be very judicious about what we say," he insisted.

But after considerable backing-and-forthing, he finally acknowledged that the missing computer is a laptop and that it contains confidential info for about 30,000 workers and retirees.

Barnes also acknowledged that the laptop belongs to a Union Pacific employee, not the company.

This, of course, raises two important questions: Why was an employee allowed to store sensitive data for 30,000 colleagues on a personal laptop? And why was that laptop allowed to leave the company's premises?

Barnes declined to answer either question directly. He said only that the laptop appears to have been stolen as part of a random burglary, and that there's no evidence to date that any of the data has been misused.

"It was appropriate for the employee to have access to the information," Barnes said. "How the information was handled is being reviewed and discussed."

In Washington, much hand-wringing is under way over the Department of Veterans Affairs losing track of the names and Social Security numbers of 26.5 million veterans. A VA worker had stored the data on a laptop and had taken it to his home, where the laptop was stolen.

Comptroller General David Walker told lawmakers this week that the case -- and the VA's slowness in getting the word out -- points to the need for federal legislation requiring prompt disclosure after a major security breach.

"Public disclosure of major data breaches is a key step to make sure personal data is safeguarded," Walker said.

That's already the law of the land in California. Or it's supposed to be.

[an error occurred while processing this directive]