Lost Laptop…Lost Reputation
Lost or stolen laptops and other digital media are the cause of more than 40% of data breaches.
Business travelers lose more than 10,000 laptops per week in U.S. airports.
An estimated 11,300 laptop computers, 31,400 handheld computers and 200,000 mobile telephones were left in taxis around the world during a recent six month period.
While these statistics may seem outrageous, I was recently on vacation in Chicago when one of my friends accidentally left his laptop sitting on the train. While his immediate response was, “Oh, *%$&!”, my thought was “Oh, no, I am going to have to blog about my friend’s company and their latest data breach….”
Luckily, no personal information was stored on the laptop and amazingly enough, the laptop was turned in to the transit lost and found. However, an important lesson was learned that day.
Laptops and other mobile devices are lost every day and headlines regarding these incidents need to be utilized by organizations to update policies and procedures with situational awareness to effectively manage people and prevent sensitive and confidential information from being exposed. Situational awareness is more than ‘dos and don’ts’, situational awareness involves understanding how information, events and a person’s actions will impact an organization’s goals and objectives now and in the future.
Are Fines Becoming a New Revenue Source for States?
The “octuplet mom” story not only created a media frenzy at Kaiser Permanente’s Bellflower hospital , the mom and her eight new born babies also created multiple lessons learned opportunities for every hospital that was paying attention.
The lessons learned started in January when the eight new babies were born and making sure hospital personnel were prepared to handle the media frenzy and what they could say and not say and what actions were acceptable and unacceptable.
Does your organization have policies and procedures in place to handle a media frenzy?
Then in March, Kaiser Permanente’s Bellflower hospital revealed that 15 employees lost their jobs and eight others were disciplined for improperly accessing the “octuplet mom’s” medical records. The lessons here involve multiple departments including management, human resources, information security, legal, risk management, compliance and individual level awareness and accountability.
Does your organization have documentation and proof of due diligence in place to describe improperly accessing information and to ensure your termination and disciplinary actions will stand up to wrongful termination lawsuits?
Then in May, state health officials from the California Public Health Department’s Center for Health Care Quality announced that the Kaiser Permanente’s Bellflower hospital was fined $250,000 because nearly two dozen medical workers, including doctors, illegally view the “octuplet mom’s” medical records.
Does your organization have policies and procedures and documentation in place to explain what is legal and what is illegal regarding personal information covered by state mandates and federal regulations?
Will information breaches become a new revenue source for state governments desperately needing to address shortcomings and deficits?
Organizational leaders should take note sooner than later now that a precedent has been set and new regulations are definitely on their way!
Booted Workers Stealing Data
A recent survey revealed that 59% of workers who were laid off, fired or quit their jobs in the last 12 months, admitted to stealing company data. Many ex-employees are taking information from their organization to help them find new jobs and make them more valuable to competition and other organizations.
With the downturn in the economy and layoffs affecting millions of people nation-wide, organizations must realize employees can easily carry out paper documents, CDs, DVDs, USB memory sticks or simply send documents to personal e-mail accounts before exiting, so it is critical for organizations to communicate acceptable and unacceptable actions to all employees and make sure all employees have acknowledged responsibility for acceptable and unacceptable actions.
Shockingly, the survey also showed 24% of ex-employees still have access to their former employer’s computer systems.
Organizations need to utilize lessons learned from these surveys to more effectively:
- Develop clearly-defined data protection policies and procedures
- Disable account login credentials immediately and monitor access
- Ensure all employees have acknowledged organizational controls and objectives
- Aggressively enforce organizational controls with employees and ex-employees
More importantly, organizations need to establish a “culture of trust”. If employees respect the organization they work for, they are much less likely to steal information from that organization. By empowering and engaging employees, management can inspire trust and loyalty to ensure better results.
As this dangerous trend of employee data theft increases with the recession, what is your organization doing to address these risks and inspire trust among your employees?
$500,000 Stolen by ATM Skimming Gang
A recent incident revealed that thieves installed simple card skimming devices and cameras on bank ATMs, stealing customer account details and recording PIN numbers. Once the thieves gathered the ATM card data, new ATM cards were easily created with the stolen customer information and the new ATM cards were used to make unauthorized withdrawals.
The thieves stole $500,000 from over 250 bank customers, and according to follow up news stories the customers are now being reimbursed by the bank.
In this economic downturn, can banks afford to put $500,000 back into their customers’ accounts and continue to foot the bill for identity theft?
Do you think it would be worthwhile for banks to use this lessons learned story and implement new or updated policies and procedures to ensure ATM devices are being checked regularly and have not been tampered with?
What if a third-party service provider maintains a bank’s ATMS? Have all appropriate individuals from the service provider acknowledged they are aware of the bank’s policies and procedures? How are banks monitoring third-parties and service providers?
But what about security camera surveillance…aren’t most banks implementing cameras to help with security efforts? Another lesson learned here is that security cameras do not prevent thieves from placing a skimming device on a bank’s ATM, banks must make sure that PEOPLE are reviewing the tapes before they can take actions to protect their customers’ information, their customers’ money and their own money.
Lessons Learned clearly show that if banks are serious about safety and security then Lessons Implemented Tools are needed to keep up with constantly changing threats and more sophisticated thieves.
