A few days before Christmas I received a thin, white envelope from my mortgage company, ABN AMRO. I thought it was a holiday greeting card. It wasn't. The envelope contained a two-page letter from the CEO explaining how his company had lost a computer tape that contained my social security number--and those of two million other customers. Apparently the tape went missing when the company shipped it via DHL from a Chicago data center to a credit-reporting company in Texas.
While reading the letter I pictured a teenage boy munching on a bag of Doritos in the basement of his parents' house while uploading the tape's contents onto a hacker site. I then saw myself on the phone six months later--my hair significantly grayer--desperately trying to clean up my decimated credit.
In ABN AMRO's defense, it did the right thing. It quickly informed customers of the breach and enrolled them in a free credit-reporting service. But that doesn't excuse the slip up. Why is a company with ABN AMRO's vast resources sending something as valuable as two million social security numbers in an overnight package?
Unfortunately, these breaches are becoming all too frequent, and they're starting to take their toll on the public's faith in corporate America. There is nothing--other than perhaps a Tylenol-type scare--that will do more damage to a company's reputation today than an identity-theft breach.
As a result, it's critical for legal departments to step in and solve the problem. The issue is far too important to leave in the hands of the business and IT folks. They are unaware of the legal liabilities and regulatory backlash that will be unleashed upon corporate America if companies continue to stumble.
But what's the solution? A model that is becoming increasingly popular among larger companies is populating certain high-risk departments with lawyers. Human resources, which is on the front lines of some of the most costly litigation battles that companies face today, is one such example. As this month's cover story reveals, HR executives have finally realized they can no longer function without having lawyers onsite. IT departments may come to a similar realization as identify-theft, e-discovery and privacy concerns overwhelm their resources.
As for the tape with my social security number on it--a day after receiving the letter, the company announced it had found the missing envelope in a DHL warehouse in Ohio.