We have learned this week that ACC clients had their personal details compromised after the theft of a laptop. You can find the summary of the incident here.
The laptop was used by a case manager who took the laptop home, in contradiction to the rules set by the organisation.
Several questions remain unanswered :
1.Why was the laptop hard drive not encrypted, if used out of the organisation?
2.Why did the case manager felt she had to records the personal detail of claimants on the laptop? If the details are needed in the day-to-day business, having a secure connection to the work network seems to be more logical.
3. Why did the case managed take the laptop home? Ignorance of the rules? Not enough time to complete the work during normal hour?
The press and ACC seem to blame the case manager, but unless she deliberately ignored the rules, this incident looks like a failure of the institution to secure its IT equipment properly.
I hope that we will learn more details about this case in the near future.
Have you got any more information about the case?