BP’s Gulf Data Spill

BP loses laptop containing Personal Information of 13,000 Oil Spill Claimants

On March 1, 2011, BP lost a laptop computer containing Personal Information (PI) on 13,000 people who made claims against BP following the Deepwater Horizon oil spill in 2010.  It was reported by eWeek / Europe that the information included social security numbers and was contained in a password-protected spreadsheet but not encrypted.  Apparently, it was not until March 30th that BP notified the claimants that their information had been lost.

Social security numbers are one of the touchstone identifiers for PI.  Failure to encrypt this information on a portable computer would expressly violate Massachusetts’ Identity Theft regulations, if any of the claimaints were Massachusetts’ residents.  Regulation 201 CMR 17.04(5) absolutely requires: “Encryption of all personal information stored on laptops or  other portable devices.”

This entry was posted in Information Security and tagged , . Bookmark the permalink.

Comments are closed.