Guidance when laptop, cell-phone or USB drive is lost or stolen
Determine if the computer was encrypted.
Make sure all logins are deactivated to every work-related access points or change passwords.
File a police report.
Determine if any personal information about others (also called personally identifiable information PII) was on the stolen mobile device. PII could be names and addresses, SS#s, birth dates, children’s names and so on. The most serious breaches have to do with medical information. In the event that the lost or stolen device contains unencrypted medical information, we are statutorily required to notify our clientele that an unauthorized person may have accessed information we have collected about them.
Checking the back-up file, if any, is the best way to determine what was on the laptop.
Find out if federal law or a grant agreement requires that we fill-out an incident report or report the theft to our sponsor. Contract and Grants should be able to help determine this.
Fill-out an ANR incident report for insurance purposes.
For your own safety, I would suggest changing all personal logins and passwords. A sophisticated user can gain access by locating the stored passwords and logins located in the browser or a password keychain app.
We only need to report a theft to UCOP if the breach is significant. ANR’s privacy official and/or Chief Information Security Officer can determine if a breach is significant and if a breach triggers other internal or external notifications.
ANR is required to make an internal report via EthicsPoint.