Ameriprise Nailed by Mass for Stolen Laptop

Bloomberg -

December 11, 2006

Ameriprise Financial Inc. will hire a security consultant and pay $25,000 as part of a settlement with Massachusetts regulators after a laptop containing personal information on about 230,000 customers and financial advisers was stolen last year. The consultant will review security policies and offer recommendations within six months, according to an agreement with William Francis Galvin, secretary of the Commonwealth of Massachusetts. Ameriprise, which operates a network of financial advisers, has until September to make the changes.

Full Story (Bloomberg) . . . More (TG Daily)

Our Analysis:

The chickens, as they say, are coming home to roost. In the legal precincts of identity theft this is a significant even landmark development. According to the article: “Regulators are increasingly holding brokerage firms accountable for safeguarding customers' personal data following thefts of laptops from employees of Ameriprise and Fidelity Investments. The settlement with Ameriprise may mark the first time that a regulator has acted over the theft of a laptop containing personal information, according to the Privacy Rights Clearinghouse, a non-profit San Diego-based consumer advocacy group.”

This is just the beginning, but it could signal a welcome trend and hopefully compel organizations that do not pay attention to what is on their laptops and where they last put them to change their ways.

It could be argued that the rash of security breaches over the years (321 reported cases this year alone), of the sort for which Ameriprise was just nailed, stem from organizational complacency, which in turn is fostered by an environment where accountability has simply not been an issue. If there are no serious consequences to such carelessness—which is more properly termed negligence—then what real motivation do these organizations have to actually change their procedures, and really, the whole culture responsible for such incidents?

The message of the Ameriprise case is clear: there are real legal and financial consequences for playing fast and loose with sensitive customer and employee information. To say nothing of the fact that allowing something so careless to happen—and then getting nailed for it--is really bad advertising.