Coke recently announced that an unspecified number of stolen laptops have compromised 74,000 current and former employees. Information residing on the laptops included social security numbers, driver’s licenses and other sensitive data. Enough about the Coca-Cola stolen laptops.
Should a lost or stolen laptop be classified as a cybercrime – a hacking or intrusion into the organization’s IT systems – or negligence on the part of the organization?
A lost or stolen laptop should be considered negligence if no hacking or intrusion occurred; a lost laptop would better be classified as negligence as an employee negligently allowed these laptops to be taken. Were these laptops really stolen, or were they lost or donated to an electronic recycling company?
Why does this make a difference? One donated hard drive could cost an individual a lifetime of pain and suffering. The company shouldn’t be able to claim that they were the “victim” of cybercrime while an individual is suffering from organization’s negligence.
How do we find out if the laptop was stolen or donated? Data privacy laws require that organizations keep an inventory of electronic equipment entering and leaving an organization. Anytime the organization allows a vendor to remove a laptop or PC from the organizations custody, there needs to be a record. A problem arises when an organization donates or gives laptops away without destroying the hard drive first. Data privacy laws require that organizations destroy information when retiring electronic equipment.
The preferred method of data destruction is physically shredding hard drives when disposing of computer equipment rather than erase. Why hard drive destruction and not erasing? Erasing hard drives is prone to errors and serves no benefit to the organization. I have found that some companies would prefer to erase hard drives and sell them for $10.00 each on the open market rather than destroy.