When a Pfizer employee last June exposed sensitive data on 15,700 fellow employees from his home computer — where his spouse had enabled peer-to-peer connectivity — little did he know that he was adding a new item to the 2008 agendas of CPOs and CISOs across the country.
Employee home offices had long been a concern for data-protection leaders, but murky legal considerations stymied any initiatives to address this risk. With security-breach notification now a $100 million cost and brand liability, it's only a matter of time before corporate-compliance programs bring employee homes within their purview. (See Table 1 for seven other publicized home-office breaches.)
The focus on the home office couldn't have come sooner. With the economy apparently slowing down, security officers are sitting up and taking notice. It's not only because otherwise good employees might be tempted by hard times to abuse their access privileges. The real problem is more widespread: employees and contractors in all positions, fearing layoffs, taking more and more work home to unsecured computing environments.
Two remarkable innovations — the BlackBerry and the USB drive — have rapidly accelerated this bleeding of the workplace into every corner of American life. Add in portable Internet cards, and you have large amounts of Internet-accessible data following employees and contractors wherever they are. And where are they most of the time, besides work?
Burglars and hackers have caused a number of highly publicized home-office incidents, raising the question for CPOs of how to bring employee homes within the purview of corporate compliance initiatives.
Employers, happy to cut the overhead of office space and take credit for offering flexible work arrangements, have gladly let employees turn their homes into de facto field offices.
But has corporate America written a check it can't cash? With the cost of the Department of Veterans Affairs and TJX breaches each expected to reach $500 million, can companies really afford to take these risks?
Table 1: Selected Home-Office Privacy Breaches
| Date | Organization breached | Nature of breach | Impact |
|---|---|---|---|
| December 2007 | Forrester Research (Massachusetts) | Burglar stole laptop from employee's home | Personal data, including Social Security numbers, of an undisclosed number of current and former employees exposed |
| December 2007 | West Penn Allegheny Health System (Pennsylvania) | Burglar stole laptop from employee's home | Personal and clinical information on 42,000 patients exposed |
| November 2007 | Provincial Public Health Laboratory (Canada) | Hacker extracted patient data from consultant's computer via an unsecured home Internet connection | Names, medical ID numbers, and test results for infectious diseases, including HIV and hepatitis, exposed for an indeterminate number of citizens; health minister forced to explain |
| May 2007 | Pfizer (New York) | A third party copied employee information from the computer of an employee whose spouse had installed peer-to-peer software on it while that computer was connected to the Internet at home | Names, SSNs and in some cases addresses and bonus information on 15,700 employees exposed |
| February 2007 | Nationwide Building Society (U.K.) | Burglar stole laptop from employee's home | 11 million customers' information exposed; company fined £1.4 million by U.K. government; CEO forced to explain |
| May 2006 | Department of Veterans Affairs (District of Columbia) | Burglar stole laptop from employee's home | 25 million veterans' information exposed; department expects to incur $100 million to $500 million in costs related to the breach |
| May 2006 | Nationwide Agribusiness (Ohio) | Burglar stole laptop from employee's home | 306 employee names, addresses, and SSNs exposed |
| September 2004 | Brazos Higher Education Service Corporation (Texas) | Burglar stole laptop from employee's home | Brazos could not determine which customers' information may have been exposed, so notified all customers of the breach; unsuccessful lawsuit brought by one customer |