A prior blog entry discussed the letter I sent to Barbara Brickmeier, IBM's Vice President of Human Resources, since Mrs. Brickmeier's office sent the data breach notification. On July 16, Windall White, a representative at IBM's North Carolina facility called me. During a 75 minute phone conversation on July 18, Mr. White and I discussed my letter, question by question. Mr. White described himself as an IBM retiree, now working in IBM's Human Resources department, as part of IBM's focus on the data breach. IBM's answers to each of my questions are listed below:
How exactly did IBM verify that I was the correct person in their records?
I asked this question since IBM's letter was a surprise, because I have never worked for IBM. Mr. White verified that IBM acquired my personal data when IBM purchased Lotus Development Corporation in 1995. So, Lotus kept my personal data for about 4 years; and IBM kept my personal data for another 12 years. (For nostalgia, visit the Lotus Museum.)
I also asked this question because I was curious exactly how IBM located me, since I moved my residence twice since I worked at Lotus 16 years ago. Mr. White explained that IBM hired the Kroll risk consulting company both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees affected by its data breach. Mr. White explained that Kroll searched through public records databases to find former employees like me. He added that since the "lost" data tapes were backup tapes, IBM had to reconstruct the list of affected former employees. I asked whether Kroll used my SS# to do this search. Mr. White never answered that question. I interpreted his silence as a "yes."
While I appreciate IBM's diligence to locate and notify former employees affected by their data breach, I can't ignore the implications. First, IBM pursued an internal policy where it archived my personal data for at least 12 years. The data IBM had about me was 16 years old; old address information. Second, IBM pursued a data breach notification process where IBM updated its files with the current personal data for former employees. So now IBM had my current address information.
Third, both IBM and Kroll have my current personal data. In its efforts to protect itself from risk, IBM shared my personal data with another company without my knowledge or consent. If I hadn't asked IBM, I would have known any of this. I wonder how many other former IBM employees affected by IBM's data breach know where IBM shares their personal data. I do know that some former IBM employees are hesitant to trust Kroll since they were reccomended by IBM, who lost the data tapes which caused the problem. Fourth, if I use Kroll's credit monitoring service, will Kroll acting in my best interests? Consider: IBM pays Kroll for one year of free credit monitoring services for former employees who choose this option; and IBM pays Kroll for investigation projects. How objective can Kroll be?
What is the current status of IBM's investigation into the data tape "loss?"
I received IBM's data breach notification in May. It's now July... 2+ months later. I hadn't received any more correspondence from IBM since the data breach notification. Perhaps the tapes were found or the thieves caught; especially since IBM offered a reward for return of the "lost" data tapes. Or maybe IBM was now ready to disclose details about how the data tapes were "lost."
Mr. White was quite clear and unhelpful. According to Mr. White, IBM's position is still not to disclose details about the investigation, since it is an on-going investigation. He consistently referred to the incident as a "data tape loss." When I challenged Mr. White about "lost" versus "stolen," he mentioned two items, a) the vendor did not know the tapes' contents, and b) he didn't want to speculate as there wasn't any evidence that the tapes were stolen or the personal information was used by ID theft thieves.
IBM's response is very frustrating and unhelpful because it will likely be us former IBM employees and ID-theft victims who bear the ID-theft risk and bear the burden to continually check our credit reports. It will be us, not IBM, who will notice first on our credit reports the attempts by identity thieves to abuse our personal data. I guess then, when we tell IBM, IBM will know that the data tapes were "stolen" and not "lost."
Sounds to me like we are doing a job IBM should be doing.
Mr. White added that IBM did not disclose the details mentioned in the Computerworld article; that the Computerworld article was based on an Associated Press reporter's story, not information supplied by IBM. I found that I had to listen very closely to Mr. White's words. It was like talking with a lawyer. Mr. White didn't dispute the story as inaccurate. Mr. White just emphasized that IBM didn't release any details about the data tape "loss." To me, when I hear a statement like that it's an in-direct implication that the Computerworld news article was inaccurate.
Well, clear it up IBM! Release some details about the data breach incident. A good start would be the number of employee records stolen. Almost all other companies with data breaches release information about the number of records stolen. A good start would be the status of the vendor and some detail about the status of the investigation.
I also reminded Mr. White that since IBM has my personal data, I need to feel confident that IBM is doing everything IBM can to protect my data and retrieve the data tapes. Again, Mr. White didn't offer any details about IBM's data breach or IBM's investigation. He did confirm that IBM reported the incident to law enforcement. It felt like I was talking to a brick wall. This was frustrating, since IBM's "loss" of the data tapes created the problem which was now inconveniencing me. Mr. White was very polite about acknowledging my concerns, but at the same time unhelpful with providing any kind of details.
Does IBM still do business with the vendor that "lost" the data tapes?
An answer here was important to me for several reasons. First, you lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. Second, the details have implications. You hire a transportation vendor to deliver items from one location to another. A trustworthy vendor should be able to explain in detail any problems; but there shouldn't be any delivery problems. A trustworthy vendor should do criminal background checks on its employees. There are one set of implications if IBM's vendor didn't follow established IBM data security policies. There are a different set of implications if the vendor followed established IBM data security policies (meaning IBM's data security policies are deficient in some manner).
Third, news items which reported that the data tapes "fell off the back of the truck..." didn't inspire confidence in IBM's ability to protect my personal data. Mr. White explained that the vendor did not know the contents of the "lost" data tapes. Again, Mr. White didn't offer any details (e.g., vendor's name, whether or not IBM still uses this vendor, etc.) except vague, general statements that IBM has dedicated lots of resources to the problem and IBM doesn't want this to happen again.
In my view, vague statements aren't enough. Mr. White did confirm that the data tapes were backup tapes in transit from IBM's headquarters in Armonk, New York to an undisclosed location as part of IBM's data archive and disaster recovery process. Mr. White said IBM would never disclose the location of IBM's remote data backup facility. I didn't expect that, but I did expect some details about the status of the investigation about the vendor.
Based on these vague assurances, I still have no confidence that IBM will sufficiently protect my personal data. During the phone call, I felt that Mr. White was assigned to the data breach incident to "handle" callers like me. Mr. White kept a calm voice, acknowledged my concerns, but rarely offered in details. I guess IBM hopes that former employees like me will just go away and be happy with vague assurances.
What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again?
Assuming IBM decides to continue to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again. Once again, I heard vague statements from Mr. White about IBM devoting lots of resources to the data breach incident. No details... no amounts... no numbers of employees assigned.
And unfortunately this gets worse. An upcoming blog entry will cover more about my questions and IBM's answers.
Next entry: How to destroy a hard drive in 5 seconds