In this case, the financial insitution lost personal information about an unspecified number of its employees, according to reports. The company informed workers of the breach on Aug. 28.
The data was on a disk drive and/or a laptop, both of which were swiped from the trunk of a car. Whether they know it or not, the perpatrators got away with names, Social Security numbers, and presciption information.
There's a common thread in all these data-leak cases, one that I've alluded to previously: The data was being handled by third-party companies. Frustratingly, most of these companies won't disclose the name of their data-fumbling partners, which means they don't have to suffer embarrassing publicity and make promises to step up their security measures. Heaven forbid.
Third-party follies aside, maybe organizations aren't taking the problem seriously because courts have already set a precedent that relieves them of negligence if they lose customer data. Last March, U.S. District Judge David Doty in Minnesota ruled that Wells Fargo was not responsible for losing customers' personal data because said data was never misused by miscreants. The judge's general reasoning was, the people suing the company hadn't suffered any actual damages; they were just worried about future damages.
So there you have it. Companies have the luxury of saving money by being lax on security. If they spill your SSN, your address, your phone number, your health records -- info that could be used for identity theft or a targetted phishing scam -- they don't have to fret. That is, unless the data is abused in the aforementioned manner, in which case I expect the victims would then have to demonstrate that the perpatrators were using the data they'd harvested from said company.
It's a fascinating legal precedent, isn't it? Why are there strict government regulations and guidelines in HIPAA that protect patients' medical records, for example, but nothing to better ensure protection of customer data, which could be used just as maliciously?
Granted, I'd rather that companies and organizations take it upon themselves to enact better security measures, such as implementing encryption technology. But for the time being, there's no tangible ROI in that, I guess. It's cheaper to just e-mail out an apology and give victimized customers and employees a year of free credit monitoring.