If you need to notify abuse survivors of a data breach, is it acceptable to take more than one year to notify them?
Urban Resource Institute in New York City provides shelter and services to victims of domestic abuse, homeless people, and individuals with developmental disabilities.
On May 20, 2020, they were the victim of an attack on employees’ email accounts. Unusual network activity was first noticed on July 23, 2020, but it wasn’t until October, 2020 that their consultants recognized that some email accounts had been accessed. And it wasn’t until June, 2021, that they learned what personal information was in those email accounts.
So it took 11 months from detection of unusual activity to figure out what email accounts had what personal information in them? Why did it take so long to figure all this out? How many hours per day and per week were consultants or employees working on this? It is possible that I am just being unrealistic or unreasonable, but these are abuse victims whose information has possibly been accessed or acquired. The fact that URI and its experts didn’t find evidence of access or acquisition is not really proof that it didn’t happen. And if you can’t be sure what was accessed or acquired, it is possible that someone may have dumped these already on the dark web or might be selling the information, isn’t it? So was this an expedited investigation with “all hands on deck?” Some regulator should look into that.
And why did it take another four months to notify people?
External council from LewisBrisbois for URI writes:
Due to the nature of the services URI provides, traditional notification may present a serious safety risk to the notified population, which includes individuals to whom URI has provided or is providing domestic and family violence services. In particular, notified individuals who reside with a current or former abuser may be at risk should the abuser discover the notified individual sought domestic violence services from URI. In order to provide notice of the incident and access to credit and identity monitoring and protection services, while also mitigating the serious safety risk such notice may present, URI provided anonymized notification letters that do not therein identify URI as the organization that experienced the incident. Should notified individuals request information about the identity of the organization, such information will be disclosed upon confirmation of the safety of the inquiring notified individual. After careful consideration, URI believes this approach balances
the important interests of providing notice of the incident while also prioritizing the safety and security of notification population.
Their consideration of the risks and plan seems reasonable. It is not clear from their notification, however, what they are doing to prevent a recurrence other than their statement that they have put other (unspecified) safeguards in place. Or why it took four months to send the notification letters to those who needed to be notified.
URI is notifying 16,003 employees and clients of the incident.