NORTH CAROLINA DETAILS REPORTED ON BANK OF AMERICA STOLEN COMPUTER Charlotte Observer | 05/22/2007 | Report details BofA theft:


Report details BofA theft
Laptop with personal data taken from employee's car, records show
RICK ROTHACKER
rrothacker@charlotteobserver.com

The theft earlier this year of a Bank of America Corp. laptop containing personal information about current and former employees raises questions about the bank's efforts to protect sensitive data, experts said.

Last month, the Charlotte bank sent letters notifying a 'limited' number of people that their information was lost when an employee was the victim of a 'break-in.' But the bank didn't disclose details of the circumstances or the location.

A police report obtained by the Observer, however, shows the laptop was swiped from an employee's car in a Charlotte parking lot.

With concerns about identity theft on the rise, experts question whether confidential personal information should ever leave the office. They also say companies should be careful in their use of Social Security numbers to identify employees and customers.

If this kind of information is taken home, employees should be mindful of where they leave their laptops and data should be encrypted, they said.

"There is no excuse for bringing data home," Avivah Litan, a senior analyst with research firm Gartner Inc., said Monday. "It's all on a bank's server well-protected, and everyone has an Internet connection or can get one."

In the hands of identity thieves, personal data can be used to open new accounts or run up bills on existing ones. Experts, however, caution that laptop thefts often lead to angst but no actual identitytheft. Thieves may not know the data is on the laptop or be able to access it.

Bank of America has said it has no evidence the personal data -- which included names, addresses, Social Security numbers and dates of birth -- has been misused. It hasn't disclosed how many current and former employees were affected. The bank employs about 200,000 worldwide, including about 15,000 in the Charlotte area.

Charlotte-Mecklenburg police Officer Bob Fey said the department has no suspects in the theft, according to the latest update to the file. The department said some information about the case is not public and the Observer is publishing limited details from the report.

One former employee who received a letter saying her data was on the laptop said a bank official told her the information was being used in a "benefits analysis." She wondered why this kind of work would be done on a laptop using personal data.

"Why do they need someone's personal information to do a benefits analysis?" asked the former employee, who spoke on condition of anonymity because of the sensitivity of the matter. "Why not use raw numbers with no names attached?"

Bank of America wouldn't comment on whether the employee whose laptop was stolen is still with the bank. The employee named in the police report could not be reached for comment.

Stolen laptops are an all-too common problem, said Litan of Gartner. Despite company policies against taking data home, employees are still doing it, she said.

If data does leave the office, laptops need more than a password that's entered when a user first logs into the computer, said Linda Foley, founder of the nonprofit Identity Theft Resource Center, a San Diego-based organization that seeks to help consumers and businesses with ID theft issues. Individual files should be password-protected and encryption should be used to further secure data.

In addition, employees should not leave laptops in plain view inside a car, Foley said. Computers should be put in the trunk at work, not in a gym or store parking lot where a thief might be lurking.

In the letter sent to affected employees, Bank of America said the laptop had "information protection features." It also said the company was taking steps "to strengthen practices for the handling and storage of associate data."

Spokesman Scott Silvestri wouldn't comment on the stolen laptop, citing the pending investigation. He also wouldn't comment on security policies other than to say: "All associates are currently required to undergo annual information protection training and certification. We continuously look for ways to minimize or eliminate risk in the handling of information."

Bank of America has offered a free credit monitoring service for two years to those affected by the breach. It also has advised the affected individuals to check their financial statements closely and report any problems to the bank.

Security Breaches

Since 2005, breaches at companies, government agencies and other sources have exposed more than 154 million personal records, according to the nonprofit Privacy Rights Clearinghouse. In recent months, laptops have been stolen containing the personal information of veterans and N.C. taxpayers.