A case study on how one could improve efforts to secure items containing sensitive data.
| Who would have thought that the loss of a simple $100 item would turn a Canadian Province and other parts of the country up in arms? In early 2003, just such a thing happened. A $100 item doesn’t seem like much, but when that $100 item is a hard drive full of sensitive personal information, one could see can see why there would be considerable upset over the loss of the hard drive. The potential costs of the data stored on the equipment far exceed the small loss that is actually incurred by the disappearance of the hard drive.
The crime of the stolen hard drive was a crime from within. Former employee Daniel Gregory Harrison brought it home “because he needed a little extra storage space for his personal computer needs" (Laudon & Laudon, 2005). Just from the fact that an employee was able to walk out of the ISM headquarters carrying a hard drive that may have had personal data stored on it shows a weakness in the security setup at the ISM headquarters. Had the company’s security screening process been setup properly, this probably would have never occurred. A possibility for prevention of theft such as this in the future would be to implement stronger security measures, such as random screenings of employees’ briefcases and other personal effects as they enter and exit the building, or even possibly screening everyone every day.
“About 1 million” people had data lost when this hard drive disappeared (Laudon et al, 2005). According to a survey conducted by the FTC on identity theft in 2003 (FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers, 2003), the average loss per identity theft case was $1,180(USD). Multiply that out and converting to Canadian dollars, the amount potentially lost by the loss of this hard drive could have been more than $1.5 billion, or 1,438,832,976% more than the actual dollar value of the hard drive (Yahoo! Finance, 2005).
The disappearance of the hard drive was definitely an organizational problem. The organization had not taken proper steps to secure old backups of its data, either for destruction, or for future use. Technology had no effect on this, because there was no actual data loss in the theft of the actual drive, because of the drive being not in use when it was taken from ISM. It does not seem that this was a management problem, because there was no indication that management was in charge of personnel security and therefore would not have been at fault. The only person in management that might be at fault would have been Harrison’s immediate supervisor, because if there were security measures implemented, then there was probably some kind of statement that was to be signed by Harrison that states that he is working with sensitive material and nothing should be removed from the premises in regards to data. If this statement was signed and on file, then his supervisor performed the job assigned, and was not responsible for any liabilities. It is clear that the organization and its security measures definitely were to blame for the loss of the hard drive and the data stored on it that was taken by Harrison.
Laudon, K., & Laudon, J. (2005). Essentials of management information systems: Managing the digital firm. 6th ed. Upper Saddle River, NJ: Pearson/Prentice Hall.
FTC, (2003). FTC releases survey of identity theft in U.S. 27.3 million victims in past 5 years, billions in losses for businesses and consumers. Retrieved Jul. 23, 2005, from http://www.ftc.gov/opa/2003/09/idtheft.htm
Yahoo! Finance, (n.d.). Retrieved Jul. 23, 2005, from Currency Converter Web site: http://finance.yahoo.com/currency