A Washington Post article discusses the letter the FDIC recently mailed to about 6,000 of its employees that describes a data security breach where employee personal information was compromised:
Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases.
In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial accounts and credit reports. The data that may have been improperly accessed included names, birth dates, Social Security numbers and salary information on anyone employed at the agency as of July 2002.
The agency said that in a “small number of cases,” the data was used to obtain fraudulent loans from a credit union, but declined to specify how many or the credit union involved.
According to the letter, the breach occurred early last year, and it remains unclear why employees were not notified for nearly 18 months. The agency wrote that it learned of the breach only “recently,” but did not explain how the breach surfaced or why it took so long to learn about it.
Why did it take 18 months to notify people? How did the breach happen? What is being done to address the problems? The letter is vague on details. Currently, there is legislation pending in many states as well as in Congress to mandate notifying people of data security breaches in which their personal information has been leaked. Any data security breach notification law should mandate that disclosure occurs within a reasonable period of time after the breach occurs and that the notification letters have adequate details to inform people about what happened.
Thanks to PrivacySpot for the pointer.
Originally posted at PrawfsBlawg
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.