Fidelity's Response to Stolen Laptop

2006-03-23T19:48:00.000-08:00

March 23rd, 2006 - Client Conversation with Fidelity Investment Response Center Regarding Fidelity’s Stolen Laptop Containing Valuable Client Personal Information.

After some supposed telephone routing problems, I finally got in touch with the Fidelity Investment Response Center 800-414-4015.

The customer rep from the response center answered and I proceeded to ask several in-depth questions. For many questions there was no answer provided – either not privy to the information or under the delusion that they were answering the question when indeed they were only reading a canned reply. At times there were awkward pauses on the Fidelity’s end of the phone line – I had to ask if the person was still there.

I explained to the rep that I was trying to decide whether to stay with Fidelity or to move my pension options to a competitor and this was going to be based on his answers to my concerned questions. He responded that he respectfully understood why I was inquiring about this serious matter. So, I kept notes of the conversation and in the interest of time, I’ve created a concise version below from our 1 hour and 20 minute telephone conversation.

I’ve presented the conversation in a Q and A format – which is primarily the format I used on the phone with the rep. I am strongly suggesting that Hewlett-Packard employees (past and present) contact Fidelity’s Investment Response Center and in addition to expressing their disapproval of Fidelity’s handling of personal information and lack of due diligence in protecting it, that they ask Fidelity to extend the Equifax Credit Watch Gold with 3-IN-1 Monitoring for one more year (bringing it to 2 years instead of 1).

Questions from me are preceded by “Q” and answers from Fidelity are preceded by “A”.

Q: Fidelity (in their letter to all HP clients) recommended monitoring our credit reports for the next 12-24 months; however they only offered to provide one year of free EQUIFAX Credit Watch Gold with 3-IN-1 Monitoring service. Why is Fidelity not offering two years free?
A: This will be forwarded and passed on to upper FESCO management which takes care of the institutional pension and 401K plans. I don’t know when they will get back to you, but I’ll take your phone number and we’ll get back to you on this.

Q: The Fraud alert is only good for 90 days. Is Fidelity recommending that we perform the fraud alert steps every 90 days for the next two years?
A: [Inconclusive and unclear response.] I suggested to the rep to recommend to management to send out a summary update to affected clients of what the fraud alert means in practice, thus saving customers the time involved in calling EQUIFAX. I mean, Fidelity is pushing out all these work cycles to their customers when they are the ones who had our personal information stolen. (As you will see below, you don’t feel confident that Fidelity is going to do anything pro-active to prevent this from happening again. They’ll give you a standard reply, but where is the “action” to back up the words?)

Q: Where was the laptop stolen?
A: [Awkward pause.] We are not privy to that information.

Q: Under what circumstances did the Fidelity employee load all that personal information on their laptop?
A: We are not privy to that information.

Q: Best-in-class security practices suggest not placing sensitive client information on a laptop, what was Fidelity’s policy on this?
A: It’s not Fidelity’s practice to have that level of data on a laptop.

Q: But it was the practice in this case where the laptop was stolen, yes?
A: [No response.]

Q: Has the Fidelity employee been disciplined?
A: [Awkward long pause.] We are not privy to that information.

Q: Was someone or some group held accountable?
A: We are not privy to that information.

Q: Is there an approval process (a check-and-balance) within Fidelity to decide when this is appropriate and required?
A: Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: Who determines when it’s appropriate to place this personal information on a laptop for a meeting?
A: [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: You are not answering my specific question, are you?
A: Yes I am. [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: You are just repeating that same canned answer. Why are you doing that?
A: No I’m not. I’m answering your question. [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: Who made the decision to place confidential information on the laptop that was stolen? Was that done by a Fidelity worker or group autonomously or is there a check-and-balance within Fidelity’s information security policies?
A: I can’t answer specific questions about an employee. [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: I’m not asking questions specifically about an employee by name, per se. Within Fidelity’s information security operating parameters/policies, are decisions like this made with or without an approval?
A: I’m not privy to that information. [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

Q: Can you pass me on to someone who is privy to this information?
A: But I’ve answered your question. [Repeats this response in full:] Fidelity as an organization limits the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.

In conclusion, I’ll let the 196,000 Hewlett Packard employees (past and present) draw their own conclusions from this interesting (and I believe very revealing) dialogue. Fidelity responses above don’t prove to me that Fidelity is going to learn their lesson – they didn’t learn it from listening to the news of other predominant companies who have had several laptops stolen at meetings while going to lunch. My gut tells me that Fidelity is out-of-control and does not know how to act proactively to prevent this from happening again.

The analogy I used with the Fidelity Investment Response Center went like this: If a Fidelity employee was entrusted with a million dollars in a briefcase (and no one knew of its contents), they wouldn’t leave that briefcase out of their possession or sight for even a split second. Apparently though, some Fidelity employees and groups do NOT equate the same urgency in protecting “our” personal information.

Finally, just like you shouldn’t be walking around with a million dollars in a briefcase in today’s world, Fidelity shouldn’t be walking around with a laptop with a client’s valuable personal information… period!

Fidelity - Stolen Laptop Response

Fidelity's Response to Stolen Laptop