Thursday, September 13, 2007

Notification of Potential Data Breach

Dear ... Employee,

We recently became aware of an incident involving information that may affect you. A laptop belonging to an ... director was lost during a business trip to Atlanta in late July. The laptop contained personal information on some employees, including you...The laptop was secured by a user name/password combination...

I received the letter above a few days ago from one of my former employers. It made me wonder what other sensitive data were on a laptop used by director of a large publicly traded company. And could this possibly happen if they used Software as a Service HR application?

SaaS will not make data on notebooks safer, but the chances are that this person would not need to download my personal information to his or her notebook. It is clear to me that incidents like this one prove that SaaS model is not inherently less secure...

1 comment:

Kris Tuttle said...

I've received this same form latter about 6 times in the last 2 years from nearly all my investment funds and one of my former employers, ironically IBM.

Clearly there are so many people involved with data that no effective controls exist today. Having a centralized access control mechanism that uses a services based interface seems like a more secure approach. I also think this is much more in alignment with the way Cisco thinks about data versus the system companies.