"We are writing because of an incident that has resulted in the loss of information relating to your IBM employment, and we wanted to inform you about what happened and explain steps IBM is taking to help protect you.
Recently data tapes were lost while being transported by a vendor. Those tapes contained primarily archival IBM employment-related information, including Social Security numbers. After a thorough investigation…we have concluded the tape loss was inadvertent and not associated with theft or any other unlawful activity."
The letter goes on to explain that no one has reported identity theft and the tapes can’t be read by a personal computer. But the Q&A gives more details; namely that the tapes were lost on February 23, 2007 and they not only have SSNs but also birthdays, contact information, and work history.
IBM has also included a year of free credit monitoring, just in case.
So: it’s bad that the tapes were lost. It’s good that they didn’t wait a year like TJX to identify the problem and alert consumers. But in this case, does ignorance = bliss? I’m not a PR/crisis management type; this was certainly a proactive move by IBM. However, another strategy would be to have a quick response prepared in case signs of trouble pop up (e.g. using brand monitoring tools).
Any thoughts on what IBM’s "right" move would be in this situation?
UPDATE: See this Consumerist post about the GAO and data breach notification…