Lost Laptop Exposes 13,000 Oil Spill Victims

According to a BP spokesman the laptop was lost on March 1 by an employee on routine business travel.


The laptop held unencrypted information including the names, Social Security numbers, addresses, phone numbers, and dates of birth of people who filed claims related to the Deepwater Horizon accident that occurred last spring.


"The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search," BP said Tuesday. They added that the device was equipped with a tool that would allow them to disable the system under certain circumstances. No further details on the nature of the circumstances that would be required to be met were given.


Unfortunately lost laptops containing sensitive personal data are lost every day, and even more commonly when traveling. In Ponemon's "Billion Dollar Lost Laptop Study" the institution found that of laptops lost 46% contained confidential data, and only 30% of those laptops were encrypted, as shown below. Encryption is not the only method used to protect confidential data on a laptop, but it is one of the most easily implemented and trusted ways to protect your company's and customer's sensitive data.

Cost of Data Breaches Rising – Average Cost $7.2 Million

According to the Ponemon Institute, the average cost of a data breach in 2010 was $7.2 million. This number continues to rise each year. The Ponemon Institute also states that the cost per record breached in 2010 was $214. This cost is up 5% from 2009.



Negligence is main cause of a data breach and accounts for 41% of reported breaches. Close behind are malicious or criminal acts which are the reason for 31% of breaches. These malicious or criminal attacks are the most expensive breaches for an organization to respond to and cost an average of $318 per record. While some industries experience higher breach costs than others, these figures represent the averages.

To calculate the potential cost of a breach for your organization, log on to Attevo’s DLP Toolkit and use our free Risk Calculator. This tool will provide you with an estimated cost per record and a total remediation cost estimate.  

Do you consider your ZIP code "personal identification information" ?

The California Supreme Court does.  In a recent decision, the California Supreme Court ruled that a ZIP code is "personal identification information" for purposes of California Civil Code §1747.08. As a provision of the Song-Beverly Credit Card act of 1971, California Civil Code §1747.08 prohibits prohibits businesses, as a condition to accepting a credit card as payment for goods or services, from requesting and recording personal identification from credit card holders during credit card transactions. Personal identification is further defined in the statute as:

"information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number."

The lawsuit was filed by a private citizen against retailer Williams-Sonoma after a ZIP code was requested at checkout and was later used in conjunction with other information to determine the customer's address for marketing purposes.

This decision comes as a further reminder to credit card processing retailers of the increasing complexity of credit card compliance. With the new Payment Card Industry Data Security Standards (PCI-DSS) and decisions such as this one, non-compliance is becoming more costly than ever. 

Does your organization process credit cards? Would your business be hurt by losing the ability to process credit cards? If you answered yes it is time to discover your compliance requirements and start working towards meeting the standards put in place by credit card companies and the courts. A great place to start is Attevo's DLP Toolkit where you can search a database of compliance regulations tailored to your business.