Most of us still remember the horrible and constant images of the BP oil spill last year in the Gulf of Mexico. The residents are still trying to piece their lives back together and some are finally getting a little solace. Now to add insult to injury, a BP employee lost a laptop with personal information on Louisiana residents who filed claims for compensation. The data included a spreadsheet of names, Social Security numbers, phone numbers and addresses. The laptop was password-protected, but the information wasn’t encrypted. So effectively, it’s fair game.
BP mailed out letters to about 13,000 people notifying them about the potential data breach. It reported this incident to law enforcement and offered to pay for credit monitoring for the affected people. The employee lost the laptop on March 1, 2010, but BP took almost a month to notify affected people. A spokesman for BP said, “We’re committed to the people of the Gulf Coast states affected by the Deepwater Horizon accident and spill, and we deeply regret that this occurred.” Looks to me like BP doesn’t really care that much, since their data and document security are pretty lax.
What is BP’s responsibility in this case? Louisiana has very explicit breach notification laws that define the process of notification. According to the law:
The notification required pursuant to Subsections A and B of this Section shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in Subsection D of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.
I assume that BP thinks one month is without reasonable delay, since it said they were doing their due diligence and investigating the incident during that time. The statement isn’t clear when BP notified law enforcement, but if it suspected that the laptop was stolen, this should have been immediate.
I recently wrote about responsibilities of organizations if they suspect a data breach. This is what you should do:
1. Respond - tell people about the breach immediately. Notify those affected, appropriate law enforcement agencies and people within your organization. Since this information contained social security numbers, claimants’ privacy is affected. These people have lost enough and stealing their identity could completely destroy their lives.
2. Assess – figure out what happened and what to do about it. If you suspect a breakdown in physical or information security, look at policies, process, technology and people. In this case, encrypting the laptop and the sensitive spreadsheet could have prevented any problems. But there may be process and policy breakdowns, such as why an employee is carrying a laptop around with very sensitive information in it?
3. Fix – create a plan to fix the problems and execute it. This should include training people on information security, implementing processes to prevent the leaking of sensitive data and technologies to plug vulnerabilities. Don’t think of this as a one time fix. You need to understand what information is sensitive, how it’s stored and who needs to use it. Limit access to only those people who have a need to know. If you had a kill switch on the document, this would be a non-story.
Many decry oversight and regulations as burdensome to conducting business. In today’s fast-paced world of instant information access and hacking, you need to regulate access to your most sensitive information. Hopefully no one will use the information on the lost BP laptop for identity theft or other malicious activities. Unfortunately you can’t wish these things away. You can’t hide behind the old standby of not doing anything because it might inconvenience the users. At one time, no one locked their front doors. Today you wouldn’t think about leaving home without doing that. We all got used to it.
BP may incur legal fines and other penalties from this data breach. I am not sure if it can stand any more blows to its already battered corporate image and brand. If it was more expedient in notifying affected parties, it may have been able to improve that image. Experiencing a data breach can be devastating to any business. Even the best of companies can be affected. Just like with anything in business, you should expect problems to occur. How you handle them says a lot about your business and your commitment to your customers, employees, partners and investors.
With the warm weather finally here, it’s time to do some spring cleaning and review your information security policies, processes and technologies. Hopefully you won’t have a data breach, but if you do, you’ll know how to handle it.
Photo credit teh_pwnerer23