Over on DataLossDB.org, I was entering a security breach notification sent by Atlanta-based Oldcastle APG, Inc. They had informed the New Hampshire Attorney General’s Office that a laptop containing over 5,000 employees’ names, Social Security numbers, and bank account information had been stolen from an employee’s car. As required by the state. they had attached a copy of the notification letter they were sending to employees, and I read it to see it provided any additional details not included in their cover letter. It didn’t.
But then I came to this statement in their notification to employees:
Okay, maybe programs that wipe data if the stolen laptop connects to the Internet are of value. But if a thief simply powers up without connecting, then there’s all that valuable unencrypted data just waiting to be misused, isn’t there?
So is it really an “excess of caution” to notify people that their SSN’s and bank account information are in the wild? Especially when the law requires you to notify them?
I don’t think so. Do you?
Remember when you were a kid, and that bully’s mom made him apologize? Yeah, this notification letter carries all of that apology’s sincerity.
Too many companies have jumped on the insincere apology bandwagon. It’s lost its value. These guys know of no “intent” to access the information? Unless there was a blackmail threat, how would they? If they had something like Lojack for Laptops installed, they would know when it was wiped out. But they haven’t said they got the confirmation. Maybe that’s why they’re “apologizing”.
Companies like this – I just have to shake my head and frown. I don’t know what they are thinking – You’re absolutely right – Smart crooks are probably going to remove the hard drive, MAYBE replace it and try to sell the laptop to a pawn shop as quick as possible, or from the trunk of a car. Heck, take the thing apart and sell the entire unit as parts – minus anything that may have a serial number on it.
Another theft from a car. This happens so often. The people who have objects stolen probably have never heard the saying “out of sight out of mind”. Nor do they have the presence of mind to think about the area they are in when they are entrusted with a device that contains PII. It should be treated like cash, stocks, heck Gold. Instead it could be shrugged off as “eh, if it is stolen, it’s not mine”. For their security blunder, the offender should be required to pay resititution in the form of a single payment for the replacement cost of a like or newer computer.
The data on the hard drive can be duplicated and put back. There are so many possiblities/ variables that a slick command to a laptop’s MAC address or phone-home software is useless. Trying to comfort someone with a line of semi-technical jargon is a way to interject doubt in the thieve’s ability to do harm, and by doing so, converts a ticked off user who will probably sit and wait vice take action.
I don’t understand companies that will allow this. Biometrics is the way to go on laptops. Use a fingerprint and a PIN and your in. PII data should be required to be on Ironkey type technology only – a USB flash drive that is password protected. After 10 unsuccessful attempts in a row, it self destructs.
Until the government starts to slap companies hard with fines, or they provide “PII insurance” over multiple years, like up to 5 years – then this sort of lethargic attention to detail and secuirty protocols will always be status quo. No matter what, it seems like the government goes soft, in case there is a public outcry of another act of heavy handed actions by the US government. They are catching on, but it is waaaaay too late.
I am avid about customer service. I give the best possible customer service, and when its inbound to me, and I ask questions about a service that is being provided to me and it is failing/failed and I hear the stereotypical monotone phrase ” I am sorry for the inconvenience” – more times than I wish to count, I simply say “I know you are” now how is this going to be rectified? Don’t have an answer, then let me talk to your supervisor. I will wait.
A one year offering is trivial, its a minimum cost, and the company probably receives some sort of compensation or acknowledgement that they are bringing in temporary customers.The the PII consultants or sharks…. sell these souls additional multiyear PII coverage that comes out of their pockets. Its a racket. It’s a BS way for America to operate. I believe it happens more than I wish to think about = \