That notebook contained the personal information, such as credit information, of approximately 243,000 customers of Hotels.Com who’d booked rooms between 2002 and 2004. In a sense, this second incident is more egregious because losing notebooks is allegedly commonplace for Ernst & Young.
Nokia staff jacked by Ernst & Young laptop reduction (30 March 2006)
40,000 BP workers exposed in Ernst & Young notebook loss (23 March 2006)
Missing Ernst & Young notebook exposes IBM employees (15 March 2006)
Readers astounded by Ernst & Young’s notebook giveaway (4 March 2006)
Ernst & Young loses four more laptops (26 February 2006)
Ernst & Young neglects to disclose high-profile info loss (25 February 2006)
According to The Register, a British tech news site, password protection was the only security on some of the notebooks lost by Ernst & Young during a previous incident, which any avid computer user understands could be easily compromised. What about the laptops recently lost by Ernst & Young workers? Was the data in those laptops encrypted? Are there any company policies restricting the extent of personal data that may leave the office where presumably network security criteria and firewall protection are set up? Are there any business rules forbidding employees from departing laptops unattended (though you would think common sense would be sufficient )? Or , are there principles banning the transfer of personal information to employee laptops? I expect there aren’t. If any such steps were set up, Ernst & Young’s public relations people would have plastered that over the media to guarantee customers and the public in an effort to save the company’s corporate derriere.
Ernst & Young and the VA aren’t the only entities which have lost notebooks with personal information, and the majority of these entities have developed a typical response straight from the Corporate Playbook. Ernst & Young has agreed to provide Hotel.Com customers a year’s free credit monitoring. That’s no reimbursement for someone who will need to shell out possibly years clearing up a resulting bad credit history. Anyone who has been in the position of having to prove they don’t owe a debt they don’t owe will let you know . If they offered to pay legal fees for anybody needing to clear resulting poor credit histories, or pay state fines for prosecution of identity thieves, then that may be considered compensatory. If they committed to and implemented a program to secure and encrypt the information and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best transfer of all.