It could happen to you
Iron Mountain and identity theft
By Ben Worthen, CIO magazine | Published: 20:00, 10 May 2005
It’s been a busy week here at the resource for information executives, and sadly it’s the blog that’s paid the price. But I’m back, and I have a whole week’s worth of things to say. The story that I think has the biggest chance of affecting all of you is the Time Warner/Iron Mountain news. In case you didn’t hear, Iron Mountain, one of the country’s largest storage companies, lost a box of backup tapes containing 600,000 current and former Time Warner employees’ personal data. Apparently the tapes were placed in a container destined for an Iron Mountain storage facility and just never showed up.
Last time I wrote about ID theft, I asked if the reason no one seems to care about the issue (a conclusion reached by the unscientific method of counting the comments on my previous ID theft posts) was because people considered ID theft an issue for financial services firms or other companies that handle a lot of customer data. In other words, it’s easy to take an it-would-never-happen-here attitude.
Someone responded with the following: So what if sensitive info was stolen [regarding] about 10,000 customers? It’s not the company’s identity that will be stolen. It’s not the company that will spend months trying to repair the damage. As long as there is no penalty, companies will not care. And CIOs won’t either.
Well, this is as close as we have come to date to a company having its ID stolen. If my credit card company lost my personal information I would probably call an 800 number and yell at the person with the misfortune of answering the phone. If my company lost my personal information I would probably go downstairs to the IT department and yell at the CIO. IT’s reputation in the company would probably be shot, the board might have to sacrifice the CIO in order to placate irate employees and someone somewhere might try to organize a lawsuit.
I feel like I’m beating a dead horse a little bit, but I really think that CIOs should be scared out of their minds. This is just the sort of issue that Congress likes to get involved with, and if they do, you can bet it will result in a broad sweeping measure that will require Sarbanes-Oxley-like procedures for security.