Lost Hard Drive with PII + Tardy Notification = Upset Alumns
Personal information about 4,400 alumns from Troy Athens High School in the Detroit area went missing in August, but the affected alumns were not notified until October 5.
Part of the delay was because the hard drive was missing and they thought it may have just been misplaced. And they still aren't sure if it was stolen, still at a computer services shop, or simply lost under a pile of stuff during renovations.
It is understandable that they would want to make sure it wasn't simply put where it should not have been, but two months seems excessive. And some, perhaps most or even all, of the alumns are understandably angry about the delay in notification.
""I'm obviously upset about the whole thing," said Paul Nagy, 24, a 2000 graduate of Troy Athens. "Look at all the time it's going to take to stay with this -- the monitoring of credit reports. It could take someone a long time to go through all those names, so it could be years down the road before it comes into play."
One alumnus, Nick Britzky, 25, of Sterling Heights is rallying support among alumni to demand that the school district be held responsible for ensuring that the confidential information isn't used against them.
Britzky, a 2000 graduate, has started two Web sites and plans to approach administrators on Wednesday.
"Join our fight to get them to provide us with our right to free credit monitoring," reads his plea on the Web site troyathenssucks.com, which features a photograph of the high school with the universal symbol of the red circle with a slash through it.
"I checked it out and it costs about $15 a month to get credit reports from three reporting agencies," said Britsky. "I know that could cost the district a lot of money, but it's a good step.""
Organizations need to understand that individuals impacted by data incidents are becoming more and more vocal and active in demanding credit monitoring be provided following incidents. And, considering the impact fraud, crime, indentity theft, and other malfeasance could have, and has had, on growing numbers of individuals, it is understandably so.
It sounds like this school did not have an incident response plan, particularly with regard to PII, in place prior to this incident, otherwise it likely would have been handled better.
Regarding the particular incident...
"She [Superintendent Barbara Fowler] said the hard drive came up missing while the school was undergoing renovations over the summer. At the same time, a company was hired to back up the hard drive. She said during renovations, the computer was placed in a hallway while the school was being prepared for fall. A school employee later realized that the hard drive was missing. Fowler said they questioned the firm, CEO Image in Plymouth, a software development company, about the hard drive, and they said they did not have it or know its location."
Do you know the whereabouts of all your computers, computer storage media, and so on, at all times...or at least those that contain PII? Hopefully you have policies and procedures to ensure you do.
Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
stolen laptop
privacy
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine