At the time Chester Ju, an investment representative of McDermott Investment Services, passed away, he had certain client information records at home for his work. What happened to those records became the basis for a breach notification to New Hampshire and some of his clients.
Although the personal representative for the deceased investment representative says he believes he disposed of the records, the firm claims that they have circumstantial evidence that the files wound up in the hands of another representative not affiliated with their firm. Those files include clients’ names, addresses, and Social Security numbers. The firm believes that representative is using the information to contact clients, and they have notified their clients of the situation.
You can read their March 5th notification to New Hampshire and affected clients here (pdf), but this incident is a good reminder to think about what might happen when employees are allowed to keep work at their homes that is not encrypted or adequately secured. Would most companies or covered entities even know how much customer or patient data may be involved or at risk when an employee passes away? I doubt it.
If your firm or agency learns of an employee’s death, do you do anything to determine if there were any records there with client or patient information and take immediate steps to recover them? I know it might seem a bit insensitive to the family, but what is your obligation to your customers, clients, students, or patients?