BP is reporting that one of its employees lost a laptop containing the personal information of more than 13,000 people who filed compensation claims with the company in relation to the oil spill in the Gulf of Mexico. The laptop allegedly went missing on March 1, but the loss did not become public until this week, when the company began mailing out letters to individuals whose information was stored on the computer.
The laptop was password-protected but a spreadsheet containing personal information, including names, Social Security numbers, phone numbers, and addresses, was not encrypted or otherwise protected. BP has offered to pay for credit monitoring for the 13,000 affected individuals.
Interestingly, BP's "data management" problem is one that has been discussed internally at the company since at least 2005. Online, at BP's website, one can find a 2005 "Frontiers" publication from the company that features a story entited "Viewpoint: Data and discipline." The piece, written by Tom Prescott, BP's Vice President for Gas, Power, and Renewables, states:
Many of us have responded to this way of working by keeping copies of everything we think we might need on our laptops or in shared folders. At a minimum, this is inefficient and creates a barrier to adopting technologies that could make us more competitive. In the extreme, it could cause a breakdown in compliance or decision-making that damages our reputation and performance. The infrastructure and systems already exist for us to transform our approach to data management. Now, we need to do our part.
The piece goes on to say that "[w]e also need to understand the full obligations associated with being accountable for these data, including digital security and data protection."
According to other documents on BP's website, the company has a privacy and data protection policy, as well as privacy and data protection coordinators. Whether this policy requires certain steps to be taken to protect data is unknown.
Was the potential compromise avoidable? Laptops get lost and stolen regularly. Protecting the sensitive data on them and other mobile devices should be the norm, not the exception. Given large number of data breaches involving information stored on laptops in both the corporate and government sectors, organizations should move away from storing information in unencrypted forms on hard drives to storing data on cloud and other secure storage mechanisms.