Home > Geeky, Security > Will someone PLEASE explain to me…

Will someone PLEASE explain to me…

March 27, 2006

Fidelity Investments says they’ve lost a laptop containing customer information, including “names, addresses, Social Security numbers, and more—on as many as 196,000 Hewlett-Packard employees who have Fidelity retirement accounts”.

Their explanation is that they only allow information like that on laptops when it is needed for “client meetings”.


There is no excuse for that kind of information ever being on a laptop.  You wanna tell me Fidelity never heard of encrypted VPN channels to web applications?  There should be no locally cached data sets.

We all know the persistence of data on hard drives.  What’s their procedure for deleting the data after the meetings?  To do it right, you need to use a shredding application.  Do all their field reps know how to do that?  And DO they do it?

I wouldn’t be torqued about this except it happens all the time with the companies that hold our ‘identity-theftable’ data in their systems.  At least the law now makes it harder for them to sweep the loss or breach under the rug; they have to notify the affected individuals and do a bunch of remediation, but lots of people can slip through the cracks.

This was first identified as a problem years ago.  It took an act of Congress to get the companies to do anything at all, but I still read about large-scale incidents on a weekly basis.  Will someone please explain to me WHY THIS IS STILL HAPPENING?


Categories: Geeky, Security
  1. March 27, 2006 at 16:40 | #1

    My understanding is that there is serious lobbying going on for a federal law that would trump state laws in such cases—the states (California in particular) having been the ones to have actually forced such disclosure.

  2. March 27, 2006 at 20:46 | #2

    I think it’s primarily sloth.  While I’m sure Fidelity (at least their IT staff) knows about VPNs and has VPN hosting, enabling VPN client connection at a client site can take some effort.  Add to that the fact that sales is often a rogue force with respect to corporate governance, and you have a recipe for disaster.

    At the very least Fidelity could use strong encryption on the data files on laptops.  But that would require compliance by sales and other field personnel.

    My hope is that the CEOs of companies like fidelity get sued big time.  Nothing like personal responsibility at the top to affect change.

  3. March 28, 2006 at 18:45 | #3

    I just have one question.  Do their customers know that Fidelity Customer info is kept on laptops, and if so WHAT THE HECK FOR?

    Last summer I worked for a local business that dealt with many fortune 500 companies, doing marketing work.  Customer data for those companies was sometimes needed in order to send out cards and other stuff, but that data was never kept on laptops or computers.  It was all housed on secure servers.  Not a single employee that had a laptop could even look at any customer data without prior approval from the company.  And if the employee has a desktop, they could only look at the data, and there was a strict policy on keeping client data secure and only on the servers. 

    This issus is just plain common sense.  It really, really, really, boggles the mind that a company today would have this problem.

Comments are closed.