One hazard companies face is the loss or compromise of company information when a laptop gets stolen. To control against this hazard, companies often establish a policy that laptops must be encrypted. Or at least the laptops with senior executives, HR, and Legal, because of the sensitive nature of the information with which they work.
But what happens if someone doesn’t follow the policy for a bunch of laptops used by HR that contained names, Social Security numbers, addresses, compensation, ethnic background, and driver’s license numbers? And then the laptops go missing? Well, you eventually end up sending notices to 74,000 people.
“Coke Says Employee Data Was Exposed,” Wall Street Journal, January 25, 2014 B1 http://on.wsj.com/1ayGymx
The laptops were “temporarily stolen” by a now-former employee who was responsible for maintaining or disposing of the laptops. The company learned of this on December 10 and notified people January 24, allegedly meeting legal notification requirements.
Questions: if you have a company policy requiring encryption of all laptops, how could a bunch of laptops being used by HR not be encrypted? Shouldn’t HR know and follow all company policies? Why did IT issue unencrypted laptops to employees? What other company policies aren’t HR and IT following? What’s your policy for notifying employees when their personal data may have been compromised? Do you notify everyone immediately, or do you wait until you have analyzed the data to determine specifically who was affected? Or is that a procedure and not a policy? What other policies or company-mandated procedures aren’t being followed by others in the company?
At least the Coke formula is secure. The policy on that is a capital “P” policy.