California’s Department of Resources Recycling and Recovery (CalRecycle), which is under the Department of Environmental Protection, is notifying employees of a recent breach involving Social Security numbers.
The text of the letter to employees, which has been uploaded to the California Attorney General’s public breach list, explains:
On January 23, 2014, the Human Resources Office (HR) was notified that the Leave Activity and Balances Report that contained your first initial, middle initial, last name, and Social Security Number were sent electronically to your Personnel Liaison.
When we received notification of the incident, HR immediately contacted all Personnel Liaisons and instructed them to delete the e-mail and shred the LAB reports.
They do not indicate how they confirmed deletion and shredding or ensured that the emails had not been forwarded elsewhere.
And according to other information CalRecycle provided to the state, the breach occurred on January 24 (although their letter says January 23) and was discovered on January 24.
To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files by following the recommended privacy protection steps outlined in the enclosure.
For more information about identity theft, you may visit the website of the Office of Privacy Protection at http://www.oag.ca.gov/idtheft/first-aid.
We regret that this incident occurred and want to assure that we have reviewed and revised our procedures to minimize the risk of recurrence. Should you need any further information about this incident, please contact Romana Herrera at (916) 341-6285.
Tom Estes, Information Security Officer
If a breach is serious enough to advise placing a fraud alert on credit files, isn’t it serious enough for the breached entity to offer free credit monitoring?
How would you grade CalRecycle on their notification letter and breach response?