Data theft may hurt workers

August 16, 2006

By David Lazarus

Chevron may have pocketed record profits of $4.35 billion in the most recent quarter, but that wasn't enough to protect the names and Social Security numbers of potentially tens of thousands of employees.

The San Ramon oil giant sent an e-mail to U.S. workers Monday warning that a laptop computer "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans."

The e-mail offered no details about the theft but told workers that "upon learning of this incident, we immediately ensured that law enforcement was informed and began risk mitigation steps."

"We believe that it is unlikely that any Chevron benefit plans will be impacted by this theft with the security measures we have in place for those plans," the e-mail said. "Nonetheless in order to mitigate any identity theft issues related to this event, we are offering a comprehensive set of services paid for by Chevron to affected plan participants."

The e-mail was sent by Peter Robertson, Chevron's vice chairman, to "U.S. payroll employees." Nearly half of the company's 59,000 workers worldwide are from North America.

This latest theft involving sensitive data stored on a laptop highlights -- yet again -- the danger of fraud and identity theft to workers and consumers in an age of highly portable digital information.

Recent cases of compromised privacy include the theft of a laptop containing data for 26.5 million veterans from the Maryland home of a Department of Veterans Affairs employee and the disappearance of a laptop containing the names and addresses of 160,000 Kaiser Permanente members in Northern California from a Kaiser office in Oakland.

Issue is widespread

"It's a big problem," said Larry Ponemon, founder of the Ponemon Institute, a Michigan think tank that focuses on privacy issues.

"It's always the human factor," he said. "There are always going to be people who download something incredibly confidential onto their laptop and then it ends up stolen or on the Internet. It's not because of evil intent. It's usually because of incompetence or complacency."

On Tuesday, the Ponemon Institute issued a study revealing that 81 percent of companies surveyed have experienced the loss of one or more laptops containing sensitive data over the past 12 months.

The study also says 64 percent of almost 500 data-security pros surveyed admit that their companies have never performed an inventory to determine the location of customer or employee info.

Cryptic communication

Chevron is saying very little about its own data going astray.

Kent Robertson, a spokesman for the company, declined to provide details about where the laptop theft occurred or the number of Chevron employees affected by the security breach.

He acknowledged only that the missing data include names, Social Security numbers and other sensitive information related to employee benefit programs.

"If we're notifying the entire workforce, it's obviously something we're taking very seriously," Robertson said.

He said Chevron learned of the theft on Monday, Aug. 7, and that the laptop was apparently stolen two days earlier -- a Saturday.

Robertson said the data was being audited to ensure compliance with federal regulations for employee benefit plans. He declined to identify the accounting firm but said it wasn't PricewaterhouseCoopers, which acts as Chevron's independent public accountant.

Robertson also declined to say why the accounting firm had been permitted to take the data outside Chevron's own facilities and why the information had been downloaded to a relatively insecure laptop.

Chevron's e-mail to workers said only that the laptop was password protected -- a modest barrier at best for experienced hackers. The e-mail said nothing about the stored data being encrypted.

A spokesman for the San Ramon Police Department said no reports have been received in recent weeks regarding missing Chevron data, indicating that the theft transpired well outside the company's headquarters.

"It's very regrettable that this occurred," Robertson said. "We're taking steps to avoid any recurrence. We're reviewing our procedures for sharing information with outside firms."

Investing in confidence

Ponemon, the privacy expert, said the handing over of confidential data to third-party service providers and consultants represents one of the greatest data-security vulnerabilities for major companies.

"A lot of organizations make no effort to perform due diligence," he said. "They put it in a standard contract that vendors must have safeguards, but there's no testing of those safeguards."

Ponemon is a former partner at PricewaterhouseCoopers and oversaw the auditing firm's privacy practice.

He said companies need to devote more attention to training workers in data-security practices and to monitoring workers' adherence to security guidelines.

"Companies say they do these things," Ponemon said, "but they don't do it very well." He also said any sensitive data stored on a mobile device must be encrypted, "no ifs, ands or buts."

The VA learned this lesson the hard way. It announced Monday that it will spend $3.7 million to equip all computers with encryption software. VA Secretary R. James Nicholson said this will make the agency "a model of data security."

Similarly, Kaiser Permanente said it, too, will begin installing encryption software next week on computers that store patient info.

Matthew Schiffgens, a Kaiser spokesman, acknowledged that rolling out encryption technology in a large organization is both logistically challenging and expensive.

"We're never going to live in a risk-free world," he said. "In order to maintain public confidence, this is money well invested."

main page ATTRITION feedback