The Worst Example of Executive Data Security Ever?

Fabrice Tourre of Goldman Sachs has the distinction of being the only person sued by the Securities and Exchange Commission for fraud in selling mortgage backed securities. While that may remain his primary claim to fame (thanks to a  front-page article in the New York Times), there may be a secondary distinction added: the worst handling of computer security ever.

The Times article contains numerous e-mails between Tourre and his co-workers and legal counsel as they prepared for the case. How did the reporters get access to private Goldman Sachs e-mails including attorney-client discussions? As stated in the article:

These legal replies, which are not public, were provided to The New York Times by Nancy Cohen, an artist and filmmaker in New York also known as Nancy Koan, who says she found the materials in a laptop she had been given by a friend in 2006.

The friend told her he had happened upon the laptop discarded in a garbage area in a downtown apartment building. E-mail messages for Mr. Tourre continued streaming into the device, but Ms. Cohen said she had ignored them until she heard Mr. Tourre’s name in news reports about the S.E.C. case.  She then provided the material to The Times.

So evidently Mr Tourre took his old laptop, on which he had been sending and receiving privileged private and corporate Goldman Sachs communications, and simply dumped it in the trash bin? Even if the computer had been lost by accident or stolen, he apparently did not take the obvious step of changing the e-mail account password so that it would not continue to synchronize with the Goldman Sachs e-mail server?  And while on the subject of passwords, the laptop apparently had no log-in password whatsoever.  Nancy Cohen apparently simply had to turn the laptop computer on to see all of Mr. Tourre’s files and get a fresh update of the e-mails!

Now to say that a computer containing private corporate and attorney-client e-mails should have had a log-in password, should have been wiped before disposal, and should have had the e-mail password changed as soon as there was the potential for it being available to an outsider is belaboring the obvious.  Or at least I hope it is belaboring the obvious.

So instead of simply declaring the actions idiotic, I will speculate a bit on the bigger picture: What does it say about Mr. Tourre and his colleagues’  ability to see risk?  Simply put, risk was what they were selling with mortgage-backed seucirites. Risk was what they were buying.  And risk, both to Goldman Sachs directly and indirectly to the economy as a whole, was what they were taking.  Clearly anybody hired to work as a trading manager at Goldman Sachs was intelligent enough to understand that not having a password on a business laptop and then tossing it out in the trash was risky if they were mindful of risk at all.  Perhaps being so immersed in such huge levels of risk had made them numb to it.

Oh, and just in case you don’t want to land on the front page of the New York Times too, here is How to Properly Prepare a Computer for Disposal.

Permanent link to this article:

1 comment

    • Jerrica Figuerda on June 12, 2011 at 8:56 PM
    • Reply

    This is a terrific article. Thanks for taking the time to summarize all of this out for us. It is a great help!

Leave a Reply

Your email address will not be published.