A handbag with a Deloitte laptop in it was stolen from a public place in September. The laptop held information which included employee details of individuals from a number of Deloitte's clients. It did not include addresses or bank account information. The theft was immediately reported to the police and relevant clients were notified.
The laptop was protected by a number of security measures, including start up password, operating system user ID/password authentication and encryption.
THE PROJECT FAILURES ANALYSIS
Oh, the irony of a security consulting firm, offering an information security advisory practice, that loses a laptop containing confidential client information.
One Deloitte enterprise risk services brochure says the firm conducts interviews and workshops with key information custodians, producing "instant and powerful results," including (emphasis added):
Identifying business processes and staff that have unnecessary levels of access to client information
Identifying applications that are unnecessarily processing client information
Identifying serious breaches of policy and procedure that require immediate address
Raising levels of awareness among information custodians of the profile client information security has with senior management.
Plain English translation: Deloitte tells its clients to be careful not to lose data. Obviously, the company doesn't always follow its own advice.
In a report on the financial services industry, Deloitte warned readers about the risks of losing confidential information stored on laptops:
The dramatic increase in the use of laptops and of handheld devices...puts enterprises at significant risk if the equipment is lost or stolen.... Laptops are a particularly weak link in the storage of personal information at companies.
Deloitte's understanding and thought leadership of the issues provides no comfort to affected workers. Gerry Doherty, general secretary of the Transport Salaried Staff Association, said:
We are extremely concerned that this personal information affecting well over 100,000 people has gone missing. All we have received are bland assurances that everything is going to be all right.
For reasons I truly cannot fathom, organizations such as Deloitte establish information security policies which employees routinely ignore. Deloitte, shame on you.