Shameful disclosure

Word of tapes “falling off the back of trucks” is almost a once-a-month event these days, but the way companies handle the disclosure of these albeit embarrassing incidents is shameful.

A coworker at TechTarget told me this morning that he had just recevied a letter from IBM informing him that the company had lost tapes containing sensitive current and former employee data, including and potentially his social security number.  This is old news [May 15], but a few things stuck me as interesting about it.

1) He has not worked for IBM in over 20 years, yet the company is still storing information on him. Ever heard of ILM over there guys? I think Tivoli has something…

2) IBM announced this publicly on May 15 but my friend did not receive the letter until June 7.

3) IBM lost the tapes on Feb. 23, 2007.

“Time was needed to investigate the incident, determine the nature of the information on the lost tapes, and conclude that recovery of the tapes was unlikely,” IBM said in an FAQ sheet sent to its employees.  “In order not to impede any continuing investigative efforts, we are not disclosing the numbers of individuals affected,” it added.

Come on! We weren’t born yesterday. IBM’s excuse for the delay in informing its employees, as well as the number that were affected seems disingenuous, probably to avoid further embarrassment.  It’s a poor response not to mention bitterly ironic given IBM’s focus on security.

My friend was given a year’s worth of free credit reporting to help him track whether anyone is using his stolen information.  If IBM thinks this is enough to rescue its relationship with its employees it might want to take a look at this survey of people who were notified that their personal information had been lost. It found that 20% of the people had already stopped doing business with that company and another 40% were considering it.