When a good samaritan contacted Ohio-based Cardinal Health in mid-June to tell them that a used laptop purchased on eBay contained company information, Cardinal Health recovered the laptop and began to investigate. Under their policies, data on decommissioned computers are to be securely deleted by their IT department and then securely destroyed by a vendor. In a letter to the New Hampshire Attorney General’s Office dated September 7, the company reports that an employee in their IT department admitted that he had not securely destroyed the data or sent it on to the vendor and had, instead, sold it on eBay. Because the laptop had been replaced and the data transferred to the new laptop, the company was able to determine that no personal information had been on the sold laptop.
In light of the employee’s confession, the company decided to inventory all decommissioned computers that had been scheduled to be destroyed. They discovered that nine laptops and two desktops could not be accounted for. The employee, who they fired, denied any misdeeds other than the one laptop he had confessed to.
By evaluating their backups, Cardinal Health was able to determine in August that one of the unaccounted-for laptops contained personal information from the HR department. Employee numbers, dates of birth, and Social Security Numbers for current and former employees as well as dates of birth and SSN for some job applicants were on the missing device.
In its letter to those who had personal information on the missing laptop, Cardinal Health offered them free services but did not tell them that a former employee had confessed to selling another decommissioned laptop on eBay without destroying the data on it. Even though the former employee denied any involvement with the missing computers and even though Cardinal indicated that a laptop had been found for sale on eBay, I think that knowledge of his actions with respect to another laptop might be important for those affected to know so that they can evaluate their risks. While Cardinal Health did the right thing in terms of reporting and offering services, I do not think they did the right thing by withholding this information. What do you think?