A division of GMAC Financial Services (Winston Salem, N.C.) has been quietly informing about 200,000 of its customers that their personal data may have been compromised due to the theft of two laptop computers from an employee's car at a regional office near Atlanta.
In a letter to its personal insurance customers, GMAC Insurance indicates that "a random theft" of the laptops from a locked vehicle may have left them vulnerable to identity theft. The letter, obtained by InformationWeek, a sibling publication of Insurance & Technology, indicates that the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter, dated March 12, advises customers. The theft took place on Jan. 26.
One GMAC Insurance customer who received the letter says he was stunned to learn that the company stored such personal data on laptops. "I'm not sure how or who determines what constitutes 'secure' when it comes to customers' personal information," the customer says in an e-mail interview. "However, if company guidelines deem it acceptable to house that data on laptops, in parked cars, then I would question their competence to establish any process and procedure to ensure the security of any data, anywhere." The customer, who describes himself as a 30-year IT veteran, asked that his name be withheld.
A spokesman for GMAC Insurance says the company is reviewing its policies in light of the incident. "We are undertaking a comprehensive review of our security policies and procedures," he says. Among other things, he adds, GMAC Insurance now prohibits employees from transporting "certain types of information" on laptops and is evaluating new encryption technologies. The stolen laptops were password-protected but not encrypted, he adds. The spokesman says the data was being used for a marketing research project. He declined to say if any employees were disciplined as a result of the theft, which police have not solved.
Corporate security experts generally advise businesses to store sensitive data on secure servers and usually recommend that employees access it through the server via secure lines rather than store it locally. However, such safeguards are often an afterthought at many businesses. "There are not a lot of companies that have good procedures for protecting data; it's common for workers to take sensitive data home on an unprotected laptop," Gartner (Stamford, Conn.) security analyst Avivah Litan says.
According to research published by the Federal Trade Commission in September, 4.6 percent of consumers surveyed by the FTC reported that they were a victim of some form of identity theft. The FTC estimates that identity theft cost businesses $33 billion in 2002.
Legislators are hoping tougher regulations will help curb the problem. Under a law passed last year in California, companies doing business in that state are required to notify any customers who are California residents of any improper release of their personal data. U.S. Sen. Dianne Feinstein (D-Calif.) has introduced a similar bill at the federal level. Litan believes more high-profile data leaks could lead to more regulation. "The problem is becoming rampant, so clearly more action is needed," she says.
This article, written by Paul McDougall, originally appeared in InformationWeek, a CMP publication.