On July 5, 2007 I sent a letter to Barbara Brickmeier, VP of Human Resources at IBM, seeking clarification and answers about IBM's data breach incident. IBM's notification letter and FAQ page lacked detailed answers in several areas. My questions for IBM:
- How exactly did IBM verify that I was the correct person in their records? IBM's letter was a surprise since I never worked for IBM. I did work for Lotus Development (until 1991), which IBM bought in 1995. Maybe this was the answer, but I'd changed jobs and residence several times since I'd left Lotus.
- What is the current status of IBM's investigation into the data tape "loss?" It's been over 2 months since IBM first contacted me in May 2007. A lot could have happened since: the tapes found, the thieves caught, or IBM explained exactly how it "lost" their data tapes.
- Does IBM still do business with the vendor that "lost" the data tapes? IBM refers to the incident as, "data tapes were lost while being transported by a vendor" and didn't identify their vendor. You lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. News items which reported that the data tapes "fell off the back of the truck...," didn't inspire confidence in IBM's ability to protect the personal data of employees and former employees.
- Does IBM still maintain archived data tapes with my personal data? After this data breach, I need to know whether or not IBM plans to continue to archive my personal data.
- What processes is IBM using to protect my personal data? Assuming IBM continues to archive my personal data, I need to feel confident that my personal data is safe at IBM. Given the nature of IBM's data breach, I don't feel confident in IBM protecting my data.
- What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again? Assuming IBM continues to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again.
- How long does IBM plan to archive my personal data? Assuming IBM continues to archive my personal data, there seems to be a point of diminishing usefulness. My data is 16+ years old and largely inaccurate. Destroying the data seems ideal, since it would eliminate the risk to IBM of future data breaches, and would reduce the risk to me.
- Why does IBM archive records with personal data of former employees? It seemed odd for IBM to archive my personal data since I do not have a pension plan or retirement account with IBM. Nor am I on IBM's payroll, so there aren't any tax reasons to archive my personal data. The reasons IBM stated in their FAQ sheet ("...retains records of past employees for a variety of legal, tax, and other reasons, as well as to verify IBM employment when needed.") seemed vague and irrelevant to my situation. Plus, 16+ year-old data can't be very useful (or accurate) to verify employment.
- Why did it take IBM 2.5+ months to notify me of their data breach? The data breach occurred in February 2007. IBM notified me in May. The 2+ month period was plenty of time for identity thieves to cause damage. I'd like to feel confident that in the future IBM will notify me in a timely and prompt manner.
Maybe readers of I've Been Mugged have questions for IBM. If so, it'd be great to hear your questions. If you have already discussed your questions with IBM, I'd love to hear both your questions and the answers you received from IBM.
Next entry: to shred or not to shred