KAI RYSSDAL: We aired a story last week about stolen laptops. Corporate laptops, specifically. Computers with thousands of customer and employee social security numbers on them. Or their banking information. While he was reporting that story, Sean Cole happened upon another one. About a security breach that sent one CEO marching off to Washington.
SEAN COLE: I first heard the story from Jonathan Zittrain, one of the founders of the Berkman Center for the Internet and Society at Harvard Law School. We were talking about laptop theft and at one point he turned to look something up on his laptop. Which i thought was kind of funny.
COLE: . . . As you look on your laptop for the information.
JONATHAN ZITTRAIN: Yeah, right, exactly. It’s easy for us academics. It’s like, Read my paper, please. Steal my laptop. Maybe they’ll put it in a museum someday. You know . . . Let me just think for a second. There’s one firm, I’m trying to remember what it was called.
After noodling around on his keyboard for a minute, he found the company he was looking for: TriWest. They manage healthcare for active and retired military personnel.
ZITTRAIN: Yeah, see, they had a computer information theft in 2002 and then ended up winning an award for how they handled it.
COLE: What award goes out to how you . . .
ZITTRAIN: I think this was a public relations award.
COLE: From the Public Relations Society of America. Needless to say, I had to talk to the guy who was able to turn a potential catastrophe into something that you get a statuette for.
DAVE MCINTYRE: My name is Dave McIntyre. I’m the president and CEO of TriWest Healthcare Alliance.
TriWest operates in about 21 states. It’s based in Phoenix, Arizona. In December of 2002, somebody broke into the company’s offices and stole two computer hard drives.
MCINTYRE: And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.
General Richard Myers, at the time. Maybe you’ve heard of him. The information included names, addresses, birthdates, Social Security numbers. Basically, everything you’d need to cook up 550,000 brand new, fraudulent credit cards.
MCINTYRE: At the time that we got hit it was the largest information theft in the history of the United States.
In short, not a great day for TriWest. Now, a lot of companies in this situation tend to get a little cagey to say the least. But McIntyre asked himself, “What is the quickest way to tell 550,000 people that something has gone terribly wrong.
MCINTYRE: And so I went to the media and held a press conference and it was one way to get in touch with folks.
His company also sent out letters, opened a 1-800 line for concerned customers to call, and created a special e-mail address: computertheftattriwest.com. McIntyre told me no one’s been defrauded as a result of the theft. But you never know. So TriWest spent one or two million dollars on fraud alerts for customers whose data was on the drives. The credit bureaus were buried, McIntyre says. And remember, it was right around Christmas.
MCINTYRE: They were furious. And I said, “Now wait a second. Why are you furious? That’s your job. You’re there not only to put stuff in our credit files, you’re there to make sure it’s accurate. And you’re there to help protect us if there’s a need to do that.” And so that caused me to start asking the question of what else is there that’s not right.
In the four years since the TriWest break in, McIntyre has spent another three-quarters of a million dollars or more crusading for stricter information security laws. He’s testified before congress. Worked with people drafting legislation. At the moment, Congress is considering a few bills that would require companies to do what McIntyre did: Notify customers in the event of a security breach. It’s a sticky issue. With industry groups and consumer groups arguing over how much companies should have divulged and when. McIntyre is more on the spill-your-guts side of things.
MCINTYRE: It’s what’s right for the customer. And I believe that if you keep your customer at the center, that things generally turn out right.
(COLE:I just wanna hug you. What a dreamy thing for someone who works in the cold world of business to say.)
MCINTYRE: It’s a priviledge to have customers. Ultimately we’re all customers. And so we look at this from the standpoint of how would we want to be treated were we in their situation. And certainly some of us have been since.
And by “some of us” McIntyre means him. About a year after the TriWest break in, in the midst of his crusade, his car was broken into in front of a hotel in downtown Phoenix. They got his briefcase, which had his tax forms in it.
MCINTYRE: What ended up happening was they caught the thieves using a manufactured credit card a couple of days later in a retail store that had my numbers on it. Now those people are in jail for five years. The appalling thing was they had been arrested three times prior for the same thing.
So Dave McIntyre’s karmic payback for fighting against information and identity theft was to have his identity stolen. If he gets his way, even possessing the kind of information that the thieves stole from his car, and from his company, will be a crime someday. In the meantime, he’s a little more careful with his briefcase.
In Boston, I’m Sean Cole for Marketplace.