Personal Data Loss – November 2006

November 15, 2006

Boeing

http://www.boeing.com/empinfo/dataprivacy/personal_data_loss_faq_111506.pdf



Personal Data Loss – November 2006
General FAQ Information

What happened?
A laptop was stolen the week of November 6th from a Boeing employee. On the laptop was old, unencrypted salary planning files containing Personally Identifiable Information on 762 individuals.

What are the details of the theft?
The laptop was taken from the employee’s home when the employee was away. Theft of laptops is the number one security issue for corporations*. It can happen to anyone at anytime. This incident underscores the importance for all Boeing employees to either use encryption or rid their computers of old, unused files, particularly those containing Personally Identifiable Information.

What is “Personally Identifiable Information”?
Personally Identifiable Information, or PII, is the combination of any information that can be used to identify a person such as:

• First name OR first initial and last name in combination with one or more of the following:
• Social security number
• Driver's license number
• State identification number
OR financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

What kind of Personally Identifiable Information (PII) is on file in the stolen laptop?
First of all, No banking, credit card information, date of birth, home address, was in the computer. However, Name & Social Security numbers, and Social Security numbers alone were in files.

Are all Boeing employees affected?
No. This incident affects 762 employees. Each is being personally notified by the company. If you are not personally notified by the company, you are not affected.

Are all the affected individuals currently Boeing employees?
No. But again, all affected individuals are being personally notified.

Why was personal information of non-Boeing persons on file in the computer?
The files in question involved salary planning from 2002. All individuals were active Boeing employees at that time.

What is Boeing doing to mitigate the potential for identity theft in this situation?
Boeing is personally contacting each affected person and offering them a 3-year credit monitoring membership at no charge.

What is Boeing doing to prevent the loss of personal data via computer thefts?
Boeing recognizes that individuals who entrust their personal information to the company have a right to expect it will be properly protected. To that end Boeing is pioneering an effort to push Whole Disk Encryption to every employee. Upon installation, it will encrypt all files on the computer. After that, it will automatically encrypt each and every file saved to the hard drive.

If Boeing is making it mandatory for personal information files to be encrypted, why wasn’t this file encrypted?
The previously mentioned requirements were levied on HR employees; this manager was not in HR and had not been required to clean his computer. The following requirements for handling Personally Identifiable Information are now in effect enterprisewide.
Employees who handle PII must:

• Clean computers of unencrypted Boeing Proprietary information,
• Load Boeing approved encryption software for the temporary storage of such information,
• Complete mandatory training.
• Be able to demonstrate ongoing compliance.

What has happened to the employee?
As this is a personnel matter, Boeing can make no comment regarding the employee. Appropriate corrective action will be taken.

What is happening with the investigation?
Boeing is working with authorities in an effort to re-secure the laptop.

Haven’t there been similar incidents of stolen laptops with unencrypted personal information?
Yes, a laptop was stolen from a Boeing employee traveling through an airport in April and one stolen from an employee’s hotel room last November. Both contained Personally Identifiable Information on a number of current and former Boeing employees.

What did Boeing do in those incidents?
In addition to strengthening the policies and procedures for handling personal data, as mentioned above, Boeing personally informed affected individuals and provided the opportunity for them to activate a 3-year credit monitoring membership to prevent potential identity theft and to protect their credit. 80,000 people activated these Boeing-paid memberships.

Has there been any identity theft linked to these previous incidents?
There is no evidence at this time that identity theft has taken place as a result of either the incident in April of the incident in November nor is there any evidence that identity theft has taken place as a result of this latest incident.


main page ATTRITION feedback