July 7, 2006 at 6:00 AM ET
Ten laptop computers were stolen from a team of securities regulators conducting an investigation last February, but the computers contained scant amounts of personal information, according to the National Association of Securities Dealers.
There is irony in this story. The regulators were conducting what’s known as a “cause” exam, an investigation into possible misconduct by two member firms. The only consumers whose identities were put at risk by the theft were the subjects of the investigation, according to the NASD.
The incident underscores the jittery environment surrounding laptop computers and private information in light of several high-profile hardware thefts in recent months.
The NASD laptop theft was first disclosed this week in an industry newsletter operated by M. Rogan LaBier.
The break-in occurred in the regulator’s Boca Raton, Fla., office on Feb. 25, the NASD confirmed. Two months later, the agency warned 73 securities dealers who were questioned during personal interviews and supplied their Social Security numbers during questioning. Transcripts of those interviews were stored on the stolen laptops, according to the NASD.
About 1,000 consumers’ names and investment account numbers also were on the laptops, but none of those accounts was active, said NASD spokesman Herb Perone. The accounts were located at two firms that are now out of business, he said.
Several hundred additional consumers’ personal information may have been on the computers as part of data sampling done by auditors to investigate potential abuses, but the data did not include Social Security numbers or other information required to commit fraud or identity theft, Perone said.
Perone would not disclose which firms were being investigated during the incident. Consumers in the list were not notified because they were not placed at risk, he said.
The NASD has altered some practices in light of the theft. Interview subjects are no longer identified by Social Security numbers, and data on all laptops in NASD district offices is encrypted, Perone said.
Congress is considering a host of proposals to deal with similar data loss incidents. In most versions of the law, only data losses that create a significant likelihood of harm to consumers would be required to be disclosed, and companies involved in the data leak would decide on the risk.
There have been “happy ending” data loss incidents lately, such as the Veterans Administration laptop that was lost and now is found.
But as privacy news continues to dominate the headlines, companies and agencies involved in data leaks or stolen laptop incidents would be better served disclosing as much information as possible, as quickly as possible. Precise details, such as how many account numbers were taken or how many computers disappeared, are always the best antidote to rumors and half-truths.