On July 18, I discussed IBM's data breach with Mr. Windall White, a representative at IBM's North Carolina facility. During this phone conversation, Mr. White and I discussed my letter to Barbara Brickmeier, IBM's Vice President of Human Resources, since IBM's data breach notification came from Mrs. Brickmeier's office. Part One in this blog discussed questions about IBM's breach notification and the data breach. This blog entry covers more questions Mr. White and I discussed on July 18:
Does IBM still maintain archived data tapes with my personal data?
Mr. White explained that it has been IBM's policy to archive the personal data of former employees. After the "loss" of the back-up data tapes (with my 16-year-old data), IBM reconstructed the list of affected employees and former employees. To contact some former employees (like me), IBM hired Kroll to search public records. So, IBM (and Kroll) now have my current personal data. Mr. White did not say how long IBM planned to continue to archive my personal data, or when (or if) IBM might destroy my personal data.
Why does IBM archive records with personal data of former employees?
Mr. White explained that it has been IBM's policy to archive personal data for all former employees since different states and courts have varying requirements for records retention. He also repeated the statements from IBM's breach notificcation about, "... for a variety of legal, tax, and other reasons, as well as to verify IBM employment." I reminded him that the personal data IBM originally had about me was 16 years old... not very useful for employment verification. i also reminded him that I have no relationship with IBM (e.g., pension, retirement account, 401-K account, etc.) so the "tax" reason seemed irrelevant. Again, I received the standard answer.
Mr. White also indicated that IBM's protocols were under review. It was hard for me to judge how sincere a statement this is. Is IBM truly reviewing its protocols regarding records retention, or is this a convenient (and vague) answer to get me to go away quietly?
How long does IBM plan to archive my personal data?
Again, Mr. White (and IBM) were vague in answering this question. Mr. White indicated that it has been IBM's policy to retain personal data for former employees. Mr. White did not indicate when, if at all, IBM would destroy my personal data. I emphasized with Mr. White that destroying the personal data of former employees would reduce the risk to both IBM and to me of any future data breaches. I left the phone call with the understanding that IBM was continuing to archive my personal data with no destruction date planned.
What processes is IBM using to protect my personal data?
I didn't expect IBM to divulge any trade secrets, but I did ask this question because I need to feel confident that IBM is doing everything it can to protect my personal data it archives. Again, Mr. White 's answers were vague and unhelpful.
Why did it take IBM 2.5+ months to notify me of their data breach?
First, I applaud IBM for notifying me of their data breach, especially since data breach notification is not required (yet) in the state (Massachusetts) where I live. Second, I asked this question since I received IBM's breach notification letter over 2 months after the data breach; plenty of time for identity thieves to do damage. I emphasized with Mr. White that I need to feel confident that IBM will contact me in the future in a more timely manner. Mr. White explained that IBM will use the IBM data breach notification web site and other means -- I assume to be surface postal mail and/or the telephone. My inquiry to IBM included my current e-mail address (which IBM hasn't used so far).
If other former IBM employees want to contact IBM, I've listed Mr. White's contact information below. Maybe you can get more detailed answers from IBM than I did:
Mr. Windall White
3039 East Cornwallis Road
P.O. Box 12195
Research triangle Park, North Carolina 27709-2195
Phone: (919) 543-5246
Post-IBM-conversation thoughts and considerations: My biggest take-aways from my conversation with IBM were that: a) IBM has had, and still has, an internal policy to archive personal data for all employees, and b) to archive this data forever. This policy sounds like a huge C-Y-A move based on the off-chance that IBM may have to defend itself in a lawsuit. IBM's records retention policy may have been effective in past decades before digital data, the Internet and home computers, but the policy now appears antiquated and obsolete given today's data environment, security needs, and ID theft threats. (Example: under IBM's existing policy, it stored employees complete SS# and address. For increased security, many states today mandate retailers to stored only a partial employees' SS# and still perform the validation and checks required. IBM could do the same.)
I also wonder why IBM kept my personal data for 12 years; 16 years including the time Lotus archived it, too. IBM's records retention policy seems to fly against generally accepted retention guidelines. Bradley University has compiled tables with the federal and state laws for records retention by:
When I reviewed these tables, I noticed that most conditions for retention ended before 3 or 4 years. Only two Health Records conditions specified a longer retention period: 30 years for "Exposure and monitoring records," and "Employment physicals/medical exams." While I am not a legal or records retention expert, neither condition seems to apply to my situation. Nothing in the tables seem to valid IBM's decision to archive former employee data for 16 years, or more. I don't have any pension, retirement, 401-K, or active files with IBM; except for the new investigation file IBM has created due to their February 2007 data breach.
I'd probably have no problem with IBM archiving my personal data if either; a) IBM's record retention policy wasn't to archive former employee personal data forever, and b) I felt confident that IBM was doing everything possible to protect my personal data. There are just too many gaps and vague answers from IBM for me to feel confident. And, the one year of free credit monitoring just doesn't cover the risk period IBM's data breach has created.
What do you think? Are IBM's answers satisfactory to you? What do you make of the Bradley University tables about records retention?
Next entry: Identity Thieves Operate Quickly