Saturday, April 28, 2007

The stolen laptop saga strikes yet again

Retailer Neiman Marcus had a pension company report a theft of a laptop with the records of 160,000 employees current and past.

These “data breaches” are almost starting to sound too common. Almost a yawner compared to TJ Maxx and the 45.7 million tidbits divulged. Neiman Marcus disclosed this breach because some of those employees are in states that have laws requiring disclosure when information is lost or stolen. Stolen laptops and data breaches are not new, but due to disclosure laws, we are hearing about it more often than ever before.

The thief who took the laptop did so because of opportunity. He was a petty thug who saw an opportunity. That opportunity kindly was provided by a person who set it down somewhere in public and walked away for a minute, most likely to get extra napkins for the latte that spilled a few drops on a table in a café. I’m making this up, but the real scenario was surely that simple. Most thieves are lazy and go for the low hanging fruit, the easy targets. The thief was not thinking about what information it could possibly have on the hard drive either.

Now the thief takes this laptop and turns it into cash quickly. After all he’s done his work for the day, now time to get paid. That laptop will end up changing hands a few times and it will be the random luck of the draw of who’s hands it passes through and who looks at the data stored on it. It will most likely end up in a pawnshop and eventually on an internet auction site.

This laptop theft like all others that have come to light recently will cost Neiman Marcus much more than they would have spent on the control of that information. They paid for credit monitoring for 160,000 people, and that was a nice tidy sum they did not have in this years budget.

It would have been cheaper and easier to have spent more money up front to control their corporate information, through data-protection policies and training that applies to anyplace that information is stored, including a laptop with a third party. They will now be spending money on that.

If that was an individual's laptop, not a corporate one, the same reaction would happen. A flurry of activity would occur to fortify and monitor to be sure there are no attacks. Not only was the loss of the device costly, you now have, monitoring, worrying, time, and effort etc, added to that unecessary event.

You normally don't leave a purse or wallet unsecured in public, even briefly, because there is a good chance it will be stolen. The same is true with a laptop.

These thieves are not smart, but we have to be, and take some extra steps to not become a piece of low hanging fruit.