If it's Friday, it must be time for disclosure of yet another theft of a laptop containing the confidential personal information of thousands of workers. This time it's oil giant Chevron confessing to the data loss.
The California-based company notified employees earlier this week that a laptop containing names, Social Security numbers, and "other sensitive information" had been stolen from a third-party accounting firm that was conducting an audit of Chevron's employee health and savings plans.
David Lazarus of the San Francisco Chronicle quoted an internal e-mail sent by Chevron to its employees. "We believe that it is unlikely that any Chevron benefit plans will be impacted by this theft with the security measures we have in place for those plans," it said.The accounting firm was not identified, and Chevron provided few details as to the nature of the theft, or why the data was not encrypted. The company claimed the laptop was password-protected, but security experts called that a modest protection at best.
Chevron, which recently posted a record $4.4 billion in net income for the second quarter of 2006, pledged to assist law enforcement in recovering the laptop and to provide protection for any employees that were affected by the theft.
Third-party companies being tasked to handle other companies' data has led to numerous data breaches and laptop thefts in the past 12 months alone. Both the Royal Ahold food marketing company and Hotels.com suffered data breaches when independent auditors lost equipment containing workers' information.
Student loan company Texas Guaranteed lost information on 1.3 million borrowers when data downloaded onto a mobile storage device by third-party contractor Hummingbird disappeared.
And the Veterans' Administration, already battered by the theft of a laptop containing data on 26.5 million veterans from an analyst's home, suffered another blow when a desktop computer containing veterans' insurance and medical records was stolen from the headquarters of technology services firm Unisys.
The Reston, Va.-based company had been contracted by the Veterans' Administration to assist with processing insurance claims.
InfoWorld's Ted Samson admonished companies that don't scrutinize relationships with their outsourcing partners closely enough, and don't implement and enforce data security procedures strictly enough.
"I think it's inevitable that we'll soon see hefty lawsuit settlements against companies that have negligently exposed their employees SSNs and other personal information," he said. "In the meantime, though, companies (and governmental agencies) need to get on the ball."
