[Dataloss] [media] US radio show about data loss

dano dano at well.com
Wed May 3 10:21:07 EDT 2006 

In the US on Tuesday the American Public Media radio show 
"Marketplace" did a story on data loss, especially highlighting 
laptop loss and theft. It did not present anything new to readers of 
this list, but pulled together a representative list that the show's 
listeners may not have been aware of.

<http://marketplace.publicradio.org/shows/2006/05/02/PM200605024.html>
(also available in RSS and mp3 feeds)


TEXT OF STORY

KAI RYSSDAL: You think you're doing pretty well with Internet 
security, don't you. Protecting your passwords and not giving out 
information. Well, smart as you are, the bad guys are even smarter. 
There were two surveys out this week from Web security companies. 
They say hackers aren't wasting time with viruses, anymore. They're 
jumping through corporate security flaws the day they're discovered. 
Which is how Social Security numbers can be taken from office 
networks. Credit-card numbers, too. Never mind what happens when 
laptops are stolen outright. Here's Sean Cole. SEAN COLE: I've been 
trying to figure out a way to really bring home the mangnitude of 
this corporate laptop theft problem. And I figured the best way was 
to use Marketplace's tried-and-true method of imparting a whole lot 
of information in a very short period of time. And so, ladies and 
gentlemen, let's do the numbers.

About 18,000 Bank of America customers got a memo back in May saying 
their Social Secuirty numbers were on a laptop stolen out of an 
employee's car. That same month a laptop was stolen from a branch of 
Omega World Travel, containing the credit card info of 80,000 
Department of Justice workers. Not to be outdone, Bank of America had 
another laptop stolen in August. In November, 161,000 Boeing 
employees were told that a laptop containing their Social Security 
numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and 
Young was hit. In March it was Fidelity. As I was writing this 
paragraph, Boeing called again to say that, since we talked, another 
laptop was grabbed away from an HR rep at an airport. We're talking, 
at least, 14 different companies, three state governmental agencies, 
five hospitals and nine colleges and universities. You're listening 
to Marketplace!

Of course, the thieves probably don't know there's a bunch of 
sensitive information on these laptops. In any case, they never seem 
to find it. All the companies I talked to said the data was 
password-protected and that there's been no fraud as a result of the 
thefts . . . yet. But password shmassword, the data's still 
vulnerable. So the companies have had to send out these really 
awkward apology letters.

     JONATHAN ZITTRAIN: And you can imagine, they're starting to get 
better at drafting these things. You know, here's your spring 
newsletter. And you have some good news with it and then at the 
bottom . . . And by the way, we lost a bunch of your personal data 
and please call this number.

This is Jonathan Zittrain, a co-founder of the Berkman Center for 
Internet and Society at Harvard Law School. He says he's not 
surprised that all of this information is walking around on portable 
computers. People want to be productive on the run, he says. But he 
says there are pretty sure-fire ways to protect sensitive 
information. Like, encrypting it, or leaving the data on the main 
server and remotely tunneling through the Internet to work with it.

     ZITTRAIN: And it's strange that it's taken as long as it has to 
really have these practices not only shape up but to be implemented 
and I think there are still a number of companies out there, many of 
whom have employees who haven't implemented even the basics of 
encryption and data security.

For example, there's this financial services company called 
Ameriprise. It's an off-shoot of American Express. Encryption of 
sensitive data is company policy at Ameriprise. But when a laptop was 
stolen from an employee's car in December, it turned out the data on 
it was not encrypted - including the Social Security numbers of about 
68,000 financial advisors. So the company fired the employee and 
basically told the rest of its staff not to be like him.

     STEVEN CONNOLY: We shared with them where the policies are 
located, that they should read up on them, that they should know the 
policies.

Steven Connolly is director of communications at Ameriprise.

     CONNOLLY: Some of the policies are about encryption. They also 
include things like securing physical assets of the company like 
computer laptops. COLE: Like, not putting it in your car, basically.

     CONNOLLY: Yeah.

But education . . . even re-education can only go so far.

     GREG VAN PELT: Even with all the technological solutions, there's 
the human element where you have to trust your colleagues.

Greg Van Pelt is a senior vice president at Providence Health and 
Services, a health care system that operates in the northwest. 
Providence Health has had four laptops stolen from employee cars 
since September. Smash and grab jobs. Though one was more of a "Lift 
the door handle and grab" job. Car was unlocked.

     VAN PELT: You have to educate. You have to reeducate. And then 
you have to trust.

Worse yet . . . In December a bunch of computer back-up discs and 
tapes were stolen out of an employees car. They contained information 
on 365,000 Providence Health patients. And no, the company hadn't 
fully encrypted everything. Though it has now. The problem is 
Providence Health kind of has to carry this stuff around on laptops. 
It does home visits, updating patient information on the spot. 
Nonetheless, Van Pelt says the thefts have changed the company's 
attitude toward laptops a little bit.

     VAN PELT: All I can tell you, everybody in the organization is 
very aware and they rarely leave the office.

     COLE: The laptops do.

     VAN PELT: Yes.

     COLE: Do they stay in locked cars?

     VAN PELT: Yes.

But only in the trunk, Van Pelt says, not the back seat. Plus, he 
says, field reps have wireless now so they're carrying around less 
information than they used to. Still, understandably, patients 
haven't reacted too well.

     NEVA CAVATAIO: It's a bummer. It's a drag. I try so hard to 
protect my information.

This is Neva Cavataio, a soon-to-be graduate student in Portland. She 
gets some of her medication through Providence. She got a letter back 
in March saying her information was on one of the stolen laptops.

     CAVATAIO: And you see these news reports everybody's ramming down 
everyone's throat: You gotta be careful with your stuff. . . . And 
then you give it to a hospital, which you think that they're 
advocates of patient privacy and stuff, and then they're leaving it 
thrown in the back seat of a car and it gets broken into.

Cavataio says Providence is paying a credit monitoring service to 
keep an eye on her pariticulars for a year, a common "I'm sorry" that 
companies offer in this situation. And not a cheap one. Boeing, for 
instance, has had 80,000 people sign up for that service. Boeing is 
also actually doing something about this kind of five-finger 
information theft. New rule: No downloading sensitive employee data 
onto laptops.

In Boston, I'm Sean Cole for Marketplace.

More information about the Dataloss mailing list