Bullying is not an appropriate breach response
I recently posted what I considered to a stupid lawsuit – one where the party that had a breach sued the hapless recipients of the breached information.
Today I found another example of bullying and threats in response to a breach. It seems that an employee of Tooele County made an error years ago and misfiled documents with about 200 employees’ names and Social Security numbers in one employee’s file. Years later, when that employee retired and requested a copy of his files, they scanned everything that was in his folder – including the misfiled documents – and sent it to him on a CD.
The recipient contacted the state’s attorney general when he realized what he had been sent because he was concerned that if he just turned the CD over to the county, the breach might get swept under a rug. The AG’s office wouldn’t accept the CD, however, and referred him back to the county. And then, according to the Salt Lake Tribune:
“We contacted the AG’s office, and they then contacted Mr. Brozovich and essentially told him what he could be facing,” [Public Information Office Wade]Mathews said.
Brozovich was advised that he could be charged with a felony — punishable by up to five years in prison — if he kept the identifying documents he knew he wasn’t meant to have.
“We appreciate his cooperation and that of the AG’s office,” Mathews said, adding that no charges would be brought against Brozovich.
Why was there any need for the county or AG’s office to threaten the recipient when he was obviously trying to do the right thing?
Enough already, folks. Stop the bullying. Stop the threatening. If you screwed up, apologize, profusely thank the person who contacted you, and offer to come retrieve the information at their earliest convenience.