I’ve written in the past about how Arizona is the number one state in the nation regarding incidents of identity theft. Well, unfortunately it appears that other states want to catch up. Yesterday, I heard about the most recent theft of personal confidential information and social security numbers from an financial company known as ING Financial Services. Apparently, thieves stole a laptop computer containing social security numbers of 13,000 District of Columbia employees and retirees. The laptop computer was stolen from the home of an ING company employee. The laptop with this highly sensitive personal information contained no password protection nor did it contain any data encryption.
What shocks me about this story is that once again a company that knew about the risks did not take preventative steps to miminize these identity theft risks. Simple safeguards such as password protection and data encryption could have minimized the risk of identity theft exposure for 13,000 District of Columbia employees. Now all of these victims must place an alert on their credit and regularly monitor their credit records for the next several years. If ING knew about other incidents of data theft involving computer laptop thefts dating back to last year, why didn’t it take simple, low-cost preventative steps? Why did it allow its employee to take home a computer containing highly personal information without at least encrypting and password-protecting it? If media stories about this theft are true, than I firmly believe that ING Financial Services Company faces serious questions about how it conducts business and protects its customers. Moreover, I believe that ING faces liability exposure for allowing thieves to gain unfettered access to confidential information. Anybody knows that laptop computers are an easy target for thieves. ING seems to have ignored simple preventative techniques which are standard in the financial services industry. If news accounts are true, I would certainly agree to take on this type of case to ensure corporate accountability to victims and to guard against further mis-handling of sensitive information.