Laptop theft at Fidelity exposes data on 196,000 HP workers

Computerworld - Fidelity Investments today confirmed that a laptop containing confidential information on more than 196,000 current and former employees at Hewlett-Packard Co. and its acquisitions was recently stolen from the firm. The theft may have exposed information such as the names, Social Security numbers and compensation details for the workers.

Though there is no evidence that the stolen information has been misused so far, Fidelity has begun sending out letters to all of the affected employees informing them about the incident and recommending follow-up action, a spokeswoman said via e-mail.

The laptop, which held personal data about participants in an HP-sponsored retirement plan, was stolen from employees who had brought it to a business meeting outside of Fidelity, according to Anne Crowley, a spokeswoman for Fidelity Investments.

“It is not our practice to have that level of data on a laptop,” Crowley said. “We limit significantly the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants,” she said.

According to Crowley, the laptop application with the personal data was running on a temporary license that has since expired. As a result, the “scrambled data” contained in the laptop should be difficult to interpret and generally unusable, she said.

“At this time, we are unaware of any misuse of the information contained in the software on the laptop,” she said. The company has also been monitoring the affected HP accounts and has so far seen no indication of unusual or suspicious activity.

“We have taken steps to implement extra security processes requiring additional authentication for access to those HP accounts, as well as other measures to prevent unauthorized use,” she said without elaborating.

After the theft, Fidelity contacted the three principal credit-reporting bureaus to advise them of the situation and arranged for those affected to enroll in a free credit-monitoring service. The service includes credit monitoring, a copy of their credit reports and notification of activity.

“If we conclude an unauthorized transaction has taken place in [an individual’s] Fidelity account as a result of this incident, we will reimburse them for account losses connected with the unauthorized transactions,” Crowley said.

News of Fidelity’s laptop loss comes amid heightened debate over a national breach-disclosure law now under debate in Congress. The bill, which was recently passed by the House Financial Services Committee (see ”Consumer groups rail against proposed data-breach notification law”), is known as the Financial Data Protection Act of 2005 (H.R. 3997) and is designed to give financial services companies such as Fidelity a national standard for securing sensitive personal information and notifying consumers in the event of a data breach.

A highly controversial provision in the bill would allow companies such as Fidelity to notify consumers of breaches only if they think there is a reasonable risk of actual harm resulting from the breach.

Critics of the proposed bill have blasted it, claiming that it would preempt much stronger state laws already in place while allowing financial services companies too much leeway in deciding when to disclose a security breach.

Read more about security in Computerworld's Security Knowledge Center.