It's the worst-case scenario for your business - an unencrypted laptop has been lost, and details on the thousands of customers it contains have leaked online. How do you tackle this situation? Do you go ahead and alert the affected customers knowing that it will open a big can of worms? What do you do? Paul Colley
IT director, Piper Alderman
We'd probably all like to say this wouldn't happen in our organisation or that we'd take every precaution to prevent it. Unfortunately, as users become more computer literate and like to personalise their computers, the suggestion in this hypothetical becomes a possibility.
For the purpose of the hypothetical, let's assume that the laptop allows a user to save data to the hard disk. This user, a company executive, is going on holiday and, as there is a deadline looming, decides to take the company's client database with him on his laptop so that he has access to it while away. He has used remote access to the company's server in the past but as he does not know whether internet access will be available, he has played it "safe" and copied the database onto his laptop.
Many believe that the computer's password can protect the data on a PC or laptop but like any physical lock, it only protects from honest thieves. Without some form of encryption, the data is vulnerable and one of the best defences is not to store any sensitive data on a device that is even occasionally off-site and, particularly, unattended.
There is little use going over the benefits of encryption, as in this case the horse has bolted and the task comes down to minimising the damage and considering what steps need to be taken.
In assessing the impact of the data loss and subsequent publishing to a website, the question of whether to tell the client base arises. There is also the question of whether there is an obligation to inform the customers. In practical terms this is possibly not the case, although there may be the likelihood of a duty of care or an obligation to the customer regarding confidence. There may even be an issue of negligence in the handling of the laptop (or data). Ultimately, it will still come down to whether there was actually any damage due to the loss and subsequent uploading of the data to the internet.
Business names, addresses and, certainly in the case of public companies, contact names are mostly in the public domain and easily searched. It is possible that the only benefit the data from the laptop has brought to the thieves is that the data had already been collated. It probably should be considered whether there is any way of linking the company losing the laptop to the actual data that is now on the internet. Consideration should be given to whether more damage would actually be caused by informing the company's clients than not, particularly if the data is little more than what is found in the phone book or in a business publication.
Where a specific arrangement with a client exists on the use of their contact details, then the client should be informed subject to that arrangement, but often such databases contain more "prospect" information than actual client information and as such, was already sourced from either the internet or a public list.
This type of issue is not new and is no different to leaving a briefcase or folder containing a printed list behind. As with documents, data becomes vulnerable as soon as it is taken away from its primary, protected storage. The onus needs to be on the person who holds the documents. While encryption and security will help, at the end of the day it will come down to due care.
Colin de Kantzow
Chief technology officer
Baptist Community Services
If the data's already out there, then customers are already affected, and if there's not by now a press report, then there will be one very soon. If the company has a disaster plan including public relations and communications, I'd activate it. If not, I'd have someone start preparing one because it will be needed as soon as there's something coherent to say, probably in about three hours from now.
First, contain the damage. Find out where the data is published and get it taken down immediately. And I'd try to preserve forensic data if possible, but that would be secondary and I wouldn't let it slow down the damage control. The first priority is to prevent further damage to customers and, indirectly, to corporate reputation.
History shows that if the truth oozes out slowly, people will suspect that not all of it has been revealed. This suspicion is based on previous experience: the longer the period of time over which clarifications and snippets are released, the longer the story runs and the more damage to reputation occurs. There's a political story running right now that has these characteristics.
Best practice in this area for a corporation has pretty much been established, by the law in some jurisdictions, which requires that every person who might be affected by a data disclosure must be notified. Whether or not that applies here, the bar has been set. Any corporate body that holds itself (externally or internally) as committed to following best practice must meet the standard.
Therefore I'd prepare for full disclosure. First, I'd be expecting to communicate privately with affected customers, and have something ready for the press or those less directly affected. Even communicating with staff is important; it's never nice to read news about your employer in the newspaper before you heard it from your boss.
What to say? A clear statement of what happened: what was released and how. Who is affected and how. What they can do to protect themselves, listing explicitly any steps they should take. Next, something to reassure them that we're taking it seriously. What steps we are taking to minimise damage. What steps we are taking to find the root cause and ensure it cannot happen again, and allay any latent fears of a cover-up. An appropriate apology. Yours faithfully.
Next, fill in the blanks above, so that the letter(s) can be written. I'd analyse the damage and the risk of further disclosure. Establish a worst-case list of those affected and the type of information which may have been compromised, and when.
What is ultimately communicated will be a group decision by several senior executives with the advice of a communications professional; but they'll need fairly complete raw material early in the process.
I'd be conducting an extensive search of all file shares and back-ups, to find where lists of customers, suppliers and employees names have been stored (a search application or desktop search will do for a start). I'd be doing the same on every laptop and desktop. Then I'd be identifying a road map of projects to get rid of them and putting in place a regular repeat of the search to maintain compliance in the long term. Also, it would be time to revisit providing proper encryption for laptops - and desktops - to handle those cases where the data can't be eliminated.
Lastly, nothing focuses the mind like a crisis and, while the iron is hot, now is the ideal time to strike. I would remind the senior team of why their application strategy has all the data in core systems and not in spreadsheets, and get that strategic aim reaffirmed. In the same breath, I'd be asking for any extra resources I need to do the work outlined above. There are still other horses in the stable, so it's worth shutting the door even now.
Chief executive of IT, HBOS
Any loss of personal data needs to be taken seriously - data can be used directly for financial fraud, indirectly for financial fraud or simply for malicious or sensationalist purposes. Privacy is important to Australians and any breach of this is serious.
Would we tell customers in this hypothetical situation? The simple answer is yes;
HBOS Australia, like many other banks is a regulated entity and is obliged to do so, regardless of the extent of the information lost.
But to make it more interesting, let's just assume that we're not obliged to do so, would we still tell the customer? Assuming that the information lost held account details, particularly credit card details, the answer again would be yes. This is a clear and present exposure to immediate fraud potential, and we would take quick steps to limit the opportunity for financial loss to our customers and to get in contact with the customer directly. They would generally be contacted in the same way we contact customers and verify any unusual activity on their accounts.
If the data lost didn't hold any obvious account details, would we still contact the customer? I believe that the answer is still most definitely yes. I see no advantage to hoping that no one will find out, even if the risk is low.
However, in an interesting case in the US a couple of years ago, a judge ruled that a well-known financial services company was not negligent in a data leak in a similar scenario - not because it took adequate precautions to prevent the leak, but rather because the thieves never used any of the data. The bank was sued by two customers, whose claim for damages was rejected because they couldn't show they'd actually been harmed, which on one level, makes sense. But to say that the company or its contractor wasn't negligent in storing customer data unencrypted on a laptop is a stretch. If you are negligent, but nothing happens, does that mean you are not culpable? I don't think so.
We must remember that the problem of losing any item can lead to information disclosure - it is not just limited to laptops - it also applies to smartphones, paper, USB drives and any other item that stores information that can be easily read or recovered. Research conducted by the Ponemon Institute showed that a surprising 51 per cent of the IT professionals confessed to having stored confidential information on a memory stick!
Like most serious organisations, our policy is to have all laptops encrypted.
Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.