As I looked back at 2009 to see what “lessons” I learned from last year, I noticed the usual incidents were included in my database, i.e., incidents of fires, floods and tornadoes. But I also noticed a continuing large number of data breaches, where our private and personal information is being exposed, stolen or lost and used illegally.
Back in 2006 I wrote a column on the need to better protect confidential information. I showed a number of 2005 examples of data breaches. In that column, I was commenting on the fact that it seemed that the private citizens were the people, who had to clean up the problems caused by lax companies. I expressed my frustration by suggesting that our Congress should institute a regulation that requires the lax companies to be responsible to protect the information or be fined.
In June, 2009, it was reported that TJX Cos. agreed to pay $9.75 million in a settlement with 41 state attorneys general over the security breach that compromised over 45 million credit and debit card numbers of the retailer’s customers. The settlement is on top of the prior settlements to MasterCard holders affected ($24 million) and to VISA card issuing banks to cover losses and expenses incurred as a result of the breach ($40.9 million).
After reading this, I thought to myself, data breaches can be very costly. Imagine my surprise when I reviewed my database only to find the following:
In April 2009, a former bank teller pleaded guilty to stealing key customer information while working at the bank in Philadelphia. The woman sold customer names, addresses, Social Security and drivers’ license numbers, dates of birth, and account balances to a third party, who used the information to negotiate fraudulent checks and other withdrawals in customers’ names.
In May of 2009, a former Philadelphia insurance company employee was indicted on identity-theft charges in connection with a scheme whereby the personal information of the insurance company’s customers was stolen.
In May of 2009, The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. Other information included logs of events, social gatherings and political records. The drive was lost between October 2008 and March 2009 and contained 1 terabyte of data — enough material to fill millions of books.
In May of 2009, The Homeland Security Department’s platform for sharing sensitive, but unclassified data with state and local authorities, was hacked. The intrusion into the Homeland Security Information Network (HSIN) was confirmed to Federal Computer Week by Harry McDavid, the chief information officer for DHS’ Office of Operations Coordination and Planning. McDavid said the U. S. Computer Emergency Readiness Team reported an intrusion into the system in late March. The initial hack was brief and limited, and it was followed by a more extensive hack in early April. The hacker, or hackers, gained access to the data by getting into the HSIN account of a federal employee or contractor. My database also provided information on the alleged theft of companies’ trade secrets or confidential documents:
In July 2009, a Goldman Sachs Group Inc. computer programmer, who quit in June, was arrested and charged with stealing codes related to a high speed trading program that he helped develop. He was arrested by FBI agents as he got off a plane at Newark Liberty International Airport. According to a complaint filed Saturday, the programmer downloaded 32 megabytes of data from Goldman’s computer system with “the intent to convert that trade secret to the economic benefit of someone other than the owner.” The FBI alleged that after being arrested, the programmer claimed that he intended only to gather “open source” files that he had worked on, then “realized that he had obtained more files than he intended.” n In July 2009, an employee that had worked 30 years at Boeing Co. and Rockwell International was convicted of stealing trade secrets for China. A federal judge in California found the employee guilty of six counts of economic espionage and other charges for hoarding sensitive documents in his home. The Ministry of Foreign Affairs in Beijing said the charges were “fabricated.”
In October 2009, federal authorities charged a former DuPont Co. chemist with downloading confidential company documents after he resigned. Authorities said the chemist transferred hundreds of documents involving organic light emitting diodes to his personal computer. Authorities said that the chemist resigned from a DuPont facility in Wilmington to take a job with the company in China. Authorities said he had also accepted a position at Peking University in Beijing and may have planned to commercialize the technology there.
I suppose if companies can’t protect their own trade secrets and confidential information, I shouldn’t expect that they are able to protect our private and personal information. That being the case, the least the CEO’s and their general counsels should do is to send us “personal letters” apologizing for their error and explaining how they are going to offer to pay for 12 months of credit monitoring for me, or anyone else, whose confidential information has been exposed.
Ed Devlin, CBCP, has provided business recovery planning consulting services since 1973 when he co-founded Devlin Associates. Since then, Devlin has assisted more than 300 companies in the writing of their business recovery plans and has made more than 800 seminars and presentations