Petco Is Latest Victim Of The All-Too-Common Data Breach Via Stolen Laptop

Petco this week became the latest retailer to suffer a data breach by way of auditors and stolen laptops. The breach in this instance involved sensitive employee data—names and Social Security numbers—but neither customer data nor payment-card information. Still, this situation raises the questions: What data-handling requirements for contractors are reasonable, and when do they become absurd?

In the case of Petco's auditors, quite a few good precautions had been used. The "laptop computers were protected with a strong password and the Plan information was contained in a software program that is protected with an encrypted password," according to an employee memo.

The theft happened inside an office, but we've seen far too many cases recently of laptops stolen from cars. (New line for all contractor agreements: Don't leave my stuff in a car or else you'll pay 40 percent of your fee in a stupidity penalty.)

As is often the case with such crimes, the thieves in the Petco incident apparently didn't know—or care—about the data inside the laptops. "The police officers from the City of San Diego Police Department to whom the outside auditor reported the theft believe that the thieves targeted the equipment rather than the information stored on the equipment," the memo said. That's quite likely the case, because the thieves probably don't want the laptops for themselves. They'll be quickly sold through a wide range of channels, including eBay. The problem is not necessarily the thieves but whoever receives the laptops, and then sees what data is on the devices. Depending on who the purchaser is, that data could still get to an identity thief. Social Security numbers—of course—unlike payment-card numbers, can't be easily cancelled. (It can be done, by the way. But it's far from easy, and it requires the person to wait until after harm has been done. Preventive SS# changes are almost impossible.) They can be flagged, but that provides relatively minimal protection.

By the way, there was an interesting line in the Petco memo: "On Tuesday, July 3, 2012, the outside auditor of Petco's 401(k) Plan informed us that five laptop computers had been stolen from their offices during the weekend of May 18-20, 2012. We are seeking an explanation from the outside auditor's office for the lapse of time in informing Petco of this incident." So Petco learned of this situation on July 3 and yet didn't tell employees until July 28? Is Petco also seeking an explanation for its own delay?