This computer contained data on all American veterans who were discharged since 1975 including names, social-security numbers, dates of birth and in many cases phone numbers and addresses -- nearly 30 million entries in all. Although the laptop was later recovered, the VA suffered a serious black eye, and Congress demanded that Secretary of Veterans Affairs R. James Nicholson testify about the breach.
Rep. Bob Filner (D., Calif.) took issue with firing the worker, saying that the data analyst was authorized to take a laptop home and use a software package to access the data, contradicting Nicholson's previous testimony that the employee was not authorized to have the information at home. "He got all the approvals that he was supposed to have," Filner said. "I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were no policies."
Create Your Own
Privacy and confidentiality of your company's and clients' data is the hot button pushing the most recent regulations and compliance laws. If your company is affected by compliance regulation, such as Sarbanes-Oxley, HIPAA, the PCI DSS (Payment Card Industry Data Security Standard) or other regulations, losing a laptop could land you in serious privacy-violation hot water. TJX (TJX - Get Report) has already spent more than $250 million recovering from a January data loss, with large class-action suits in the wings.
Creating such a policy probably isn't a do-it-yourself project. It's a good idea to sit down with a legal adviser and a security expert to find out where your company is vulnerable and what you can do to plug the holes.You don't have to build your policy from scratch, however; there are myriad sources to draw inspiration from. The SANS Institute's