Breach notifications: what really happened vs. what they tell us
I’ve often pointed out how breach notification letters to those affected may omit details that consumers might want to know but breached entities probably prefer we not know.
I came across another example today. Let’s start with what happened, as described by attorneys for Vector Security to the Maryland Attorney General’s Office. Vector Security provides home and business security systems:
1. In December 2012, Vector relocated its office. In the process, they apparently left behind a laptop containing PII.
2. A contractor subsequently renovating the property found the laptop, and when he couldn’t get it to work, took it to a friend for assistance. The friend was able to gain some access to the contents – enough to realize that the laptop was Vector’s property. The laptop was returned to them the next day, on June 14, 2013. So the laptop had been out of Vector’s control for over 5 months.
3. When Vector recovered the laptop, they promptly started an investigation and hired Kroll to help restore functionality to the laptop and analyze the contents. On September 6, they learned from AllClear ID that the PII included an unreported number of individuals’ Social Security numbers. Notification letters were sent on or about September 13, offering those affected one year of free subscription to AllClear.
Compare the above to what they told those affected:
Vector relocated our operations from an office located in Pittsburgh, Pennsylvania to an office located in Warrendale, Pennsylvania. We learned that a password protected laptop previously used by one of our executives was inadvertently left at our Pittsburgh office during our relocation. The laptop was returned to us and we immediately commenced an investigation into the contents of the laptop.
There’s no full disclosure to the customers that the laptop with their PII was out of their control for over 5 months and that they never realized it was gone until it was returned to them.
There’s no full disclosure to the customers that non-Vector personnel or contractors ever accessed the drive.
There’s no full disclosure that the laptop was returned to them three months before they started sending notification letters.
For all the consumer knows, the laptop might only have been left behind for a week and was quickly recovered in August or at the beginning of September.
Now maybe some customers wouldn’t care about all that, and the important thing to consumers may be that they are being reassured about the low risk of misuse and are offered free services.
And maybe some business reputation management firms would say that such omissions are great because the “whole story” might tarnish a firm’s reputation or result in customer unease or churn.
But as a transparency proponent, I find myself wishing that breached entities really had to disclose the details of breach, no matter how embarrassing it might be to their reputation. Maybe if they did, they’d take greater care.
You can read the Vector Security filing with Maryland here (pdf) and form your opinion.