Monday, May 17, 2010

stolen laptops

According to The Register, a British technology news site, password protection was the only security available on some of the laptops lost by Ernst & Young during a prior incident, which any avid computer user knows can be easily compromised. What about the laptops more recently lost by Ernst & Young employees? Was the data contained in those laptops encrypted? Are there any company policies limiting the extent of personal data that may leave the office where presumably network security standards and firewall protection are in place? Are there any company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there aren't. If any such measures were in place, Ernst & Young’s public relations people would have plastered that all over the media to reassure clients and the public in an attempt to save the firm’s corporate derriere.

Ernst & Young and the VA are not the only entities that have lost laptops with personal data, and most of these entities have developed a typical response straight from the Corporate Playbook. Ernst & Young has agreed to offer Hotel.Com customers a year's free credit monitoring. That’s no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone who’s been in the tenuous position of having to prove they do not owe a debt they do not owe will tell you that. If Ernst & Young created a task force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they offered to pay legal fees for anyone having to clear resulting bad credit histories, or pay state fines for prosecution of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best move of all.

Employees of the auditing companies don’t seem to care what happens to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just see how that might happen. They’re in Miami at yet another conference. The conference is at a downtown hotel they’ve been to a couple times. They’re familiar with the hotel and the area so already they feel some sense of false security. Someone’s been talking for hours about converting more sales, pushing certain investments, or their company’s new data recovery center that will help clients feel more “secure.” Anyway, the speaker stops to take a breath and everyone realizes it’s a good time to break for lunch. They’re coming back to the room so, hey, why lug around those heavy laptops? Aren’t they coming back to the room for the second half of the conference? Do they even ask if the conference room will be locked during lunch? Of course not. They’re company laptops. What’s a few lost laptops to a big corporation like Ernst & Young

No comments:

Post a Comment