Another Laptop Stolen – More Personal Data At Risk
I checked the mail after getting home from work and found an envelope from th Harley Owner's Group (HOG). That got my attention, since Biketoberfest is around the corner in Daytona. Could it be an interesting offer coming to town during that event?
No, it was a Personal Information Advisery. It seems that a Harley-Davidson employee reported a missing laptop on Monday, August 14, 2006. The laptop contained HOG member data to facilitate registration at HOG events.
The letter claims that Harley-Davidson conducted an extensive investigation, notified law enforcement, and still want to retrieve the laptop. I'm sure that's true, though the word “extensive” means different things to different people. There are no circumstances provided regarding how the laptop disappeared, whether it was stolen or misplaced.
Harley-Davidson sent a letter to 60,000 people (including me) because the file contained either a credit card number and/or driver's license number. I know that HOG has both pieces of information from me, since I had to provide that information for a Fly & Ride rental during a trip to Salt Lake City in April this year.
Additionally, Harley-Davidson provided me with a free one-year account with ConsumerInfo.com to provide credit monitoring. There's a forum on the HOG members web site, and a promise to mail any pertinent information to me about the case.
This is a case where I understand why an employee had customer data on a laptop. Event registrations happen in the field without network access to a corporate database. Also, you never know who may attend an event. Harley owners frequently travel to HOG events out of their own state, so it makes sense to keep information on hand to accommodate those travelers.
However, I do not see any mention of security measures taken to protect data on the laptop. Theft or loss in the field is a reasonably high probability risk. Is the information password protected? Was the disk encrypted? I tend to doubt it, or the letter would probably try to assure me that my identity information was reasonably secure. How can a major corporation allow sensitive customer information outside of its walls without taking these reasonable precautions to protect it? These days, it's inexcusable to let a laptop with sensitive information go without disk encryption.
I appreciate the notification and apology from Mike Keefe, Vice President and Director of Harley Owner's Group. To Mike, I strongly recommend that you take my advice. Encrypt the hard drive on all of your remaining laptops. Customers like me depend upon your precautions.