March 30, 2004

A division of GMAC Financial Services has been quietly informing about 200,000 of its customers that their personal data may have been compromised because of the theft of two laptop computers from an employee's car at a regional office near Atlanta.

In a letter to its personal insurance customers, GMAC Insurance indicates that a "random theft" of the laptops from a locked vehicle may have left them vulnerable to identify theft. The letter, obtained last week by InformationWeek, says the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status, and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter advises customers. The GMAC letter was dated March 12; the theft took place on Jan. 26.

One GMAC Insurance customer, who asked to remain anonymous, received the letter and says he was stunned to learn that the company stored sensitive data on laptops. "I'm not sure how or who determines what constitutes 'secure' when it comes to customers' personal information," the customer says. "However, if company guidelines deem it acceptable to house that data on laptops, in parked cars, then I would question their competence to establish any process and procedure to ensure the security of any data anywhere."

A spokesman for GMAC Insurance last week said the company is reviewing its policies in light of the incident. "We are undertaking a comprehensive review of our security policies and procedures," he says. GMAC Insurance now prohibits employees from transporting "certain types of information" on laptops and is evaluating new encryption technologies, among other approaches, he says. Data on the stolen laptops was password-protected but not encrypted and was being used for a market-research project, the spokesman says.

Corporate security experts generally advise businesses to store sensitive data on secure servers. They usually recommend that employees who need the data access it on the server via secure lines and not store it locally. However, such safeguards often are an afterthought at many businesses. "There aren't a lot of companies that have good procedures for protecting data," says Avivah Litan, a security analyst at research firm Gartner. "It's common for workers to take sensitive data home on an unprotected laptop."

This is just the latest in a series of incidents that have put personal data at risk. In recent weeks, Citibank Japan, H&R Block, BJ's Wholesale Club, and a Utah accounting firm have had data that could be exploited by identity thieves either lost or stolen.

That may be part of the reason identity theft has become a problem that's costing consumers and businesses billions of dollars. According to research published by the Federal Trade Commission in September, 4.6% of consumers the FTC surveyed reported that they were a victim of some form of identity theft. The FTC estimates that identity theft cost businesses $33 billion in 2002.

Legislators hope tougher regulations will help curb the problem. Under a law passed last year in California, companies doing business in that state are required to notify any customers who are state residents of any improper release of their personal data. Sen. Dianne Feinstein, D-Calif., has introduced a similar bill at the federal level. Gartner's Litan believes more high-profile data leaks could lead to more regulation. "The problem is becoming rampant," she says, "so clearly more action is needed."