Over at bna.com, Bloomberg Law reminds us that there are a number of “legal battles over workplace cybersecurity being waged” in the USA. For example, ENSLIN v. THE COCA-COLA COMPANY ET AL, which has been ongoing since 2014.
The breach was covered here and here previously, and the short version is: A Coca-Cola employee stole laptops that were meant to be disposed of, triggering the data breach. This results in a former Coca-Cola employee, Enslin, suing the beverage maker because it failed to adequately protect employee information. In a complaint, Enslin says that he fell victim to identity theft and other crimes not long after receiving the breach notification letter.
When the story originally hit the wires in 2014, there was a dearth of information. Three years and a bunch of court filings later, we have more to go on.
Quis Custodiet Ipsos Custodes? (i.e., Who will Police the Police?)
As noted in a previous post, it would have been hard (possibly near impossible, depending on the circumstances) for Coca-Cola to prevent the theft of the laptops. The computers at the center of the breach – 55 of them, stolen from Coca-Cola over a period of six-and-a-half years – were meant to be disposed of… and the thief, another Coca-Cola employee, Thomas William Rogers III, was the person responsible for disposing of them.
It was later reported that Coca-Cola only became aware of the situation when they received an anonymous tip (ajc.com):
On November 17, 2013, the anonymous caller contacted Coke security and reported the company owned equipment was going to be moved at any moment due to a big fall out between the employee [Rogers] and his wife.
Most of the computers were found in Rogers’s home, but a number of them were given to acquaintances as well. The media reported that all the stolen machines were eventually recovered (but not necessarily, according to court documents).
Sensitive personal information like Social Security numbers and driver’s license numbers were found when the company performed forensic data analysis on the machines, triggering data breach notification laws.
A number of months later, Enslin and his family found themselves mired with identity theft problems while on vacation. The problems gradually snowballed, with criminals using his information to obtain a job; purchasing thousands of dollars of merchandise; attempting changes of address to further scams; etc.
Contradictions and Errors
Data breaches, no matter how straightforward, always contain an element of uncertainty in them and the Coca-Cola situation is no different.
Initially, the media reported that 53 laptops were involved in the data breach. At some point, that was corrected to 55 laptops. The interval of the breach also increased, from 5 years to more than 6 years. Also, it’s been reported that the stolen machines’ prices ranged from less than $500 to $2500, leading one to ask whether it really was only decommissioned laptops that were stolen.
Perhaps the confusion originates from Rogers himself, who,
In a written statement to [Coca-Cola], Thomas Rogers stated he had “a couple of boxes full of laptops” but “didn’t know how much equipment he had” because he had been accumulating it for five years [ajc.com]
The implication, then, is that there could be more laptops out, even if it was reported that all computers were accounted for. The company admitted as much to the courts:
After it learned of the breach, Coca-Cola sought to recover its missing hardware, and while it has “a very good feeling” that it has been able to recover it all, it cannot say for sure. [gpo.gov]
Could Have Had Better Security
In light of the above, could Coca-Cola be accused of being lax in their responsibilities? It would be hard not to.
They could have easily prevented a data breach (not necessarily the physical act of the laptop theft itself) by employing disk encryption on all and any computers, be they laptops or desktops. Without the correct password, Rogers wouldn’t have been able to access the machines, and so the personal, sensitive information would have been protected.
Furthermore, the company could have designed their process for retiring computer equipment to include the deletion of the encryption key for each computer prior to giving it up for disposal. By doing so, the data would still be protected if the passwords were obtained by Rogers somehow.
(And let’s not forget that encryption protects companies from data breaches while the machines are being used in everyday life – break-ins and loss/misplacement have been prominent sources of breaches, too).
Also, it is very troubling that this went on for more than six years. The fact that a domestic disturbance is how the breach was uncovered… well, that’s just not how well-thought out security is supposed to work.
There were some very obvious failures here.
However, there is “being lax in their responsibilities” in a moral, ethical manner and being so in a legal manner. The courts so far seem to be of the opinion that, in the latter, Coca-Cola was not in the wrong.
Regardless of what the ultimate outcome may be, one thing appears to be pretty clear: properly securing the data would probably have been cheaper than defending against a lawsuit that’s taking more than three years to resolve.
Related Articles and Sites: