[Senate Report 110-70] [From the U.S. Government Publishing Office] Calendar No. 168 110th Congress Report SENATE 1st Session 110-70 ====================================================================== PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007 _______ May 23, 2007.--Ordered to be printed _______ Mr. Leahy, from the Committee on Judiciary, submits the following R E P O R T together with ADDITIONAL VIEWS [To accompany S. 495] [Including cost estimate of the Congressional Budget Office] The Committee on the Judiciary, to which was referred the bill (S. 495), to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information, reports favorably thereon with amendments, and recommends that the bill, with amendments, do pass. CONTENTS Page I. Purpose of the Personal Data Privacy and Security Act of 2007....2 II. History of the Bill and Committee Consideration..................7 III. Section-by-Section Summary of the Bill..........................10 IV. Cost Estimate...................................................18 V. Regulatory Impact Evaluation....................................25 VI. Conclusion......................................................25 VII. Additional Views................................................26 VIII.Changes in Existing Law Made by the Bill as Reported............32 I. Purpose of the Personal Data Privacy and Security Act of 2007 A. SUMMARY Advanced technologies, combined with the realties of the post- 9/11 digital era, have created strong incentives and opportunities for collecting and selling personal information about ordinary Americans. Today, private sector and governmental entities alike routinely traffic in billions of electronic personal records about Americans. Americans rely on this data to facilitate financial transactions, provide services, prevent fraud, screen employees, investigate crimes, and find loved ones. The government also relies upon this information to enhance national security and to combat crime. The growing market for personal information has also become a treasure trove that is both valuable and vulnerable to identity thieves. As a result, the consequences of a data security breach can be quite serious. For Americans caught up in the endless cycle of watching their credit unravel, undoing the damage caused by security breaches and identity theft can become a time-consuming and life-long endeavor. In addition, while identity theft is a major privacy concern for most Americans, the use and collection of personal data by government agencies can have an even greater impact on Americans' privacy. The loss or theft of government data can potentially expose ordinary citizens, government employees and members of the armed services alike to national security and personal security threats. Despite these well-known dangers, the Nation's privacy laws lag far behind the capabilities of technology and the cunning of identity thieves. The Personal Data Privacy and Security Act of 2007 is a comprehensive, bipartisan privacy bill that seeks to close this privacy gap, by establishing meaningful national standards for providing notice of data security breaches, and addressing the underlying problem of lax data security, to make it less likely for data security breaches to occur in the first place. B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT According to the Privacy Rights Clearinghouse, more than 150 million records containing sensitive personal information have been involved in data security breaches since 2005.\1\ Since the Personal Data Privacy and Security Act was first reported by the Judiciary Committee in November 2005, there have been at least 436 data security breaches in the United States, effecting millions of American consumers.\2\ For example, in January 2007, mega retailer TJX disclosed that it suffered the largest data breach in U.S. history--effecting at least 45.7 million credit and debit cards.\3\ The TJX data breach follows many other commercial data breaches, collectively effecting millions of Americans, including data security breaches at ChoicePoint and Lexis Nexis.\4\ --------------------------------------------------------------------------- \1\ See Privacy Rights Clearinghouse Chronology of Data Breaches, www.privacyrights.org. A copy of this chronology appears in the Appendix to this report. \2\ Id. \3\ ``Breach of data at TJX is called the biggest ever, Stolen numbers put at 45.7 million,'' Boston Globe, March 29, 2007. \4\ See generally, Appendix. --------------------------------------------------------------------------- Federal government agencies have also suffered serious data security breaches. In May 2006, the Department of Veterans Affairs lost an unsecured laptop computer hard drive containing the health records and other sensitive personal information of approximately 26.5 million veterans and their spouses.\5\ In April 2007, the United States Department of Agriculture (``USDA'') admitted that it posted personal identifying information on about 63,000 grant recipients on an agency website and acknowledged that as many as 150,000 people whose personal details were entered into a federal government database over the past 26 years could have been exposed by that website.\6\ And, in May, 2007, the Transportation Security Administration (``TSA'') reported that the personal and financial records of 100,000 TSA employees were lost after a computer hard drive was reported missing from the agency's headquarters, exposing the Department of Homeland Security to potential national security risks. \7\ --------------------------------------------------------------------------- \5\ See Testimony of the Honorable James Nicholson, Secretary of Veterans Affairs, before the House Committee on Government Reform, June 8, 2006. \6\ See ``USDA has data breach,'' Government Computer News, April 23, 2007. \7\ See ``TSA seeks hard drive, personal data for 100,000.'' USA Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over loss of data on employees,'' May 9, 2007. --------------------------------------------------------------------------- The steady wave of data security breaches in recent years is a window into a broader, more challenging trend. Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. The current estimates of the incidence of identity theft in the United States vary, but they are all disturbingly high. According to a recent report on identity theft by the Federal Trade Commission, annual monetary losses due to identity theft are in the billions of dollars.\8\ In fact, American consumers collectively spend billions of dollars to recover from the effects of identity theft, according to the FTC.\9\ Identity theft also has a significant negative impact on our Nation's businesses. The FTC recently found that businesses suffer the most direct financial harm due to this illegal conduct, because consumers are often not held personally responsible for fraudulent charges.\10\ --------------------------------------------------------------------------- \8\ See The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007, at page 11. \9\ Id. \10\ Id. --------------------------------------------------------------------------- Because data security breaches adversely affect many segments of the American community, a meaningful solution to this growing problem must carefully balance the interests and needs of consumers, business and the government. C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007 The Personal Data Privacy and Security Act of 2007 takes several meaningful and important steps to balance the interests and needs of consumers, business and the government in order to better protect Americans sensitive personal data. This legislation is supported by a wide range of consumer, business and government organizations, including, the American Federation of Government Employees, Business Software Alliance, the Center for Democracy & Technology, Consumer Federation of America, Consumers Union, Cyber Security Industry Alliance, Microsoft, the National Association of Credit Management, Vontu, TraceSecurity and the United States Secret Service. 1. Access and Correction First, to provide consumers with tools that enable them to guard against identity theft, S. 495 gives consumers the right to know what sensitive personal information commercial data brokers have about them. In addition, S. 495 extends the protections afforded under the Fair and Accurate Credit Transactions Act (``FACTA''), by allowing consumers to correct their personal information if it is inaccurate. Under circumstances where a business entity makes an adverse decision based on information provided to it by a data broker, S. 495 also requires that the business entity notify the consumer of the adverse decision and provide the consumer with the information needed to contact the data broker and correct the information. The right of consumers to access and correct their own sensitive personal data is a simple matter of fairness. The principles of access and correction incorporated in S. 495 have precedent in the credit reporting industry context and these principles have been adapted to the data broker industry. 2. Data Security Program Second, the bill recognizes that, in the Information Age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the information that it uses and collects. The bill takes important steps to accomplish this goal, by requiring that companies that have databases with sensitive personal information on more than 10,000 Americans establish and implement a data privacy and security program. There are exemptions to this requirement for companies already subject to data security requirements under the Gramm-Leach- Bliley Act and the Health Information Portability and Accountability Act. 3. Notice Third, because American consumers should know when they are at risk of identity theft, or other harms, because of a data security breach, the bill also requires that business entities and federal agencies promptly notify affected individuals and law enforcement when a data security breach occurs. Armed with such knowledge, consumers can take steps to protect themselves, their families, and their personal and financial well-being. The trigger for notice to individuals is ``significant risk of harm,'' and this trigger includes appropriate checks and balances to prevent over-notification and underreporting of data security breaches. In this regard, S. 495 recognizes that there are harms other than identity theft that can result from a data security breach, including harm from other financial crimes, stalking and other criminal activity. Consequently the bill adopts a trigger of ``significant risk of harm,'' rather than a weaker trigger of ``significant risk of identity theft,'' for the notice to individuals requirement in the legislation.\11\ There are exemptions to the notice requirements for individuals for national security and law enforcement reasons, as well as an exemption to this requirement for credit card companies that have effective fraud-prevention programs.\12\ --------------------------------------------------------------------------- \11\ A notice trigger based uopn ``significant risk of identity theft'' would weaken the notice provisions in S. 495 and such a standard would also fail to adequately protect consumers. First, the weaker ``significant risk of identity theft'' standard only requires notification of consumers when a business entity or federal agency affirmatively finds that there is a significant risk of the specific crime of identity theft. In addition, as discussed above, there are other harms that could result from data security breaches, such as stalking, physical harm, or threats to national security, that are not addressed or covered under a notice standard based solely on the risk of identity theft. \12\ In his additional views, Senator Sessions incorrectly states that S. 495 will result in over notification of consumers and in a lack of clarity for business. To the contrary, the bill contains meaningful checks and balances, including the risk assessment and financial fraud provisions in Section 312, to prevent over-notification and the underreporting of data security breaches. The risk assessment provision in Section 312(b), furthermore, provides businesses with an opportunity to fully evalaute data security breaches when they occur, to determine whether notice should be provided to consumers. In addition, the bill compliments and properly builds upon other federal statutes governing data privacy and security to ensure clarity for business in this area. For example, to avoid conflicting obligations regarding the bill's data security program requirements, Section 301(c) specifically exempts financial institutions that are already subject to, and complying with, the data privacy and security requirements under GLB, as well as HIPPA- regulated entities. The bill also builds upon existing federal laws and guidance, such as the data security protections established by the Office of the Comptroller of the Currency for financial institutions and the access and correction provisions in the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, to clarify the obligations of business. --------------------------------------------------------------------------- In addition, to strengthen the tools available to law enforcement to investigate data security breaches and to combat identity theft, S. 495 also requires that business entities and federal agencies notify the Secret Service of a data security breach within 14 days of the occurrence of the breach. This notice will provide law enforcement with a valuable head start in pursuing the perpetrators of cyber intrusions and identity theft. The bill also empowers the Secret Service to obtain additional information about the data breach from business entities and federal agencies to determine whether notice of the breach should be given to consumers and other law enforcement agencies. This mechanism gives businesses and agencies certainty as to their legal obligation to provide notice and prevents them from sending notices when they are unnecessary, which overtime, could result in consumers ignoring such notices. Since 1984, Congress has provided statutory authority for the Secret Service to investigate a wide range of financial crimes, including offenses under 18 U.S.C. Sec. 1028 (false identification fraud), Sec. 1029 (access device fraud) and Sec. 1030 (computer fraud). In the last two decades, the Secret Service has conducted more than 733,000 financial fraud and identity theft investigations involving these statutes, leading to the prosecution of more than 116,000 individuals.\13\ Pursuant to the notice requirements in the bill, the Secret Service's Criminal Intelligence Section would analyze, coordinate and monitor all data breach investigations reported to it by victim companies. When the Criminal Intelligence Section receives notification of a data breach, this section would immediately analyze the information and refer the case to the appropriate field office and/or electronic/financial crimes task force, for investigation and prosecution. Throughout this process, the Criminal Intelligence Section would further stand ready to support the victim company, investigating field office or task force, and prosecuting U.S. Attorney's Office as needed. The Criminal Intelligence Section would also coordinate with the Computer Crime and Intellectual Property Sections (``CCIPS'') of the Department of Justice to ensure proper and timely response through the federal judicial system, regardless of where the data breach occurred. In addition, the Criminal Intelligence Section would have the additional responsibility of notifying federal law enforcement and state attorneys general as mandated by the legislation. --------------------------------------------------------------------------- \13\ See Secret Service White Paper, ``Data Broker Legislation--S. 495,'' May 2007. --------------------------------------------------------------------------- The bill also recognizes the benefits of separating the notice obligations of owners of personally identifiable information and third parties who use and manage personally identifiable information on the owner's behalf. The bill imposes an obligation on third parties that suffer a data security breach to notify the owners or licensees of the personally identifiable information, who would, in turn, notify consumers. If the owner or licensee of the data gives notice of the breach to the consumer, then the breached third party does not have to give notice. The bill also states that it does not abrogate any agreement between a breached entity and a data owner or licensee to provide the required notice in the event of a breach. Separating the notice obligations between data owners and licensees, and third parties, will encourage data owners and licensees to address the notice obligation in agreements with third parties and will help to ensure that consumers will receive timely notice from the entity with which they have a direct relationship and would recognize upon receiving such notice, in the event of a data security breach. However, this notice can only be effective if the entity which suffers the breach, and any other third parties, provide to the entity who will give the notice complete and timely information about the nature and scope of the breach and the identity of the entity breached. 4. Enforcement Fourth, this legislation also establishes tough, but fair, enforcement provisions to punish those who fail to notify consumers of a data security breach, or to maintain a data security program. The bill makes it a crime for any individual, who knows of the obligation to provide notice of a security breach, and yet, intentionally and willfully conceals the breach, and the breach causes economic harm to consumers. Violators of this provision are subject to a criminal fine under Title 18, or imprisonment of up to 5 years, or both. This provision is no more onerous than criminal provisions for other types of fraudulent conduct which causes similar harm to individuals. The bill also contains strong civil enforcement provisions. The bill authorizes the Federal Trade Commission (``FTC'') to bring a civil enforcement action for violations of the data security program requirements in the bill and to recover a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation.\14\ In addition, the bill authorizes State Attorneys General, or the U.S. Attorney General, to bring a civil enforcement action against violators of the notice requirements in the bill and to recover a civil penalty of not more than $1,000 per individual, per day and a maximum penalty of $1,000,000 per violation, unless the violation is willful or intentional. --------------------------------------------------------------------------- \14\ Double penalties may be recovered for intentional or willful violations of this provision. --------------------------------------------------------------------------- 5. Preemption The legislation also carefully balances the need for federal uniformity in certain data privacy laws and the important role of States as leaders on privacy issues. Section 304 of the bill (relation to other laws) preempts state laws with respect to requirements for administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. These requirements, which are referred to in this Section, are the same requirements set forth in Section 302 of the bill. Section 319 of the bill (effect on federal and state laws) also preempts state laws on breach notification. However, in recognition of the important role that the States have played in developing breach notification, the bill carves out an exception to preemption for state laws regarding providing consumers with information about victim protection assistance that is provided for by the State. In addition, Section 319 of the bill provides that the notice requirements in S. 495 supersede ``any provision of law of any State relating to notification of a security breach, except as provided in Section 314(b) of the bill.'' The bill's subtitle on security breach notification applies to ``any agency, or business entity engaged in interstate commerce,'' and the term ``agency'' is defined in the bill by referencing section 551 of title 5, United States Code, which pertains to federal governmental entities. As a result, the security breach notification requirements in the bill have no application to State and local government entities, and the Committee does not intend for this provision to preempt or displace state laws that address obligations of State and local government entities to provide notice of a security breach. 6. Government Use Finally, the bill establishes important new checks on the government's use of personal data. In April 2007, the Government Accountability Office (``GAO'') released a new report on government data breaches that highlighted the importance of protecting government computer equipment containing personally identifiable information and of federal agencies responding effectively to data security breaches that pose privacy risks.\15\ To address these concerns, the bill requires that federal agencies consider whether data brokers can be trusted with government contracts that involve sensitive information about Americans before awarding government contracts. The bill also requires that Federal agencies audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of government agencies. In addition, the bill requires that Federal agencies adopt regulations that specify the personnel allowed to access government data bases containing personally identifiable information and adopt regulations that establish the standards for ensuring, among other things, the legitimate government use of sensitive personal information. --------------------------------------------------------------------------- \15\ See GAO Report on ``Privacy: Lessons Learned About Data Breach Notification,'' April 2007. --------------------------------------------------------------------------- II. History of the Bill and Committee Consideration A. HEARINGS 1. April 13, 2005 On April 13, 2005, the Judiciary Committee held a hearing on ``Securing Electronic Personal Data: Striking a Balance between Privacy and Commercial and Governmental Use.'' This hearing examined the practices and weaknesses of the rapidly growing data broker industry and, in particular, how data brokers were handling the most sensitive personal information about Americans. The hearing also explored how Congress could establish a sound legal framework for future data privacy legislation that would ensure that privacy, security, and civil liberties will not be pushed aside in the new Digital Age. The following witnesses testified at this hearing: Deborah Platt Majoras, Chairman of the Federal Trade Commission; Chris Swecker, Assistant Director for the Criminal Investigative Division at the Federal Bureau of Investigation; Larry D. Johnson, Special Agent in Charge of the Criminal Investigative Division of the U.S. Secret Service; William H. Sorrell, President of the National Association of Attorneys General; Douglas C. Curling, President, Chief Operating Office, and Director of ChoicePoint, Inc.; Kurt P. Sanford, President & CEO of the U.S. Corporate & Federal Markets LexisNexis Group; Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corp.; James X. Dempsey, Executive Director of the Center for Democracy & Technology; and Robert Douglas, CEO of PrivacyToday.com. 2. March 21, 2007 On March 21, 2007, the Judiciary Committee's Subcommittee on Terrorism, Technology and Homeland Security held a hearing on ``Identity Theft: Innovative Solutions for an Evolving Problem.'' This hearing examined the problem of identity theft and legislative solutions to this problem, and discussed the need for federal legislation on data breach notification. The following witnesses testified at this hearing: Ronald Tenpas, Associate Deputy Attorney General, United States Department of Justice; Lydia Parnes, Director Bureau of Consumer Protection Federal Trade Commission; James Davis, Chief Information Officer and Vice Chancellor for Information Technology, University of California, Los Angeles; Joanne McNabb, Chief California Office of Privacy Protection; and Chris Jay Hoofnagle, Senior Staff Attorney, Samuelson Law, Technology & Public Policy Clinic, School of Law (Boalt Hall) University of California, Berkeley. B. LEGISLATION Chairman Patrick Leahy and Ranking Member Arlen Specter introduced the Personal Data Privacy and Security Act of 2007 on February 6, 2007. This bipartisan, comprehensive privacy bill is cosponsored by Senators Schumer, Feingold, Cardin, Sanders and Brown. This legislation is very similar to the Personal Data Privacy and Security Act of 2005, S. 1789, which then-Chairman Specter and Ranking Member Leahy introduced on September 29, 2005. The Judiciary Committee favorably reported that legislation on November 17, 2005, by a bipartisan vote of 13 to 5. On April 25, 2007, S. 495 was placed on the Judiciary Committee's agenda. The Committee considered this legislation on May 3, 2007. During the Committee's consideration of S. 495, six amendments to the bill were offered and five of those amendments were adopted by the Committee: First, the Committee adopted, without objection, a bipartisan manager's amendment to S. 495 which Chairman Leahy offered on behalf of himself and Senator Specter. The manager's amendment adds several additional privacy enhancements to the bill, including: (1) a definition of encryption and provision to encourage business entities to utilize encryption technology to protect personal data by establishing a presumption that no significant risk of harm exists when sensitive personal data is encrypted with appropriate safeguards; (2) a provision to expressly exempt debit cards and other financial account records from the financial fraud prevention exemption in the bill, to address the TJX data security breach situation where millions of debit card numbers were stolen and consumers had no right to force their financial institutions to immediately restore any funds stolen from the checking and savings accounts linked to these debit cards; (3) a provision to clarify that notice of the occurrence of a security breach must be given to the Secret Service within 14 days of the breach and that the Secret Service has 10 business days to review any certification seeking an exemption from the notice to individuals requirements under the bill to enhance the ability of law enforcement to investigate data security breaches; and (4) a provision requiring that the GAO provide a follow-up report to its April 2006 report to Congress on the federal agency use of data brokers. The Committee also adopted, without objection, an amendment offered by Senator Feinstein to (1) narrow the exemption for public records under the bill to ensure that notice to individuals is provided for data security breaches involving harvested data; (2) broaden the notice provisions under the bill to cover hard copy or paper data; and (3) to require that the Secret Service must review any certification by a business entity (and may review any certification by an agency) to use the national security exemption to the notice requirements under the bill and to give the Secret Service more authority to obtain additional information before approving this exemption; (4) changing the threshold for providing advance notice to consumer credit reporting agencies following a data security breach to breaches affecting more than 5,000 individuals; and (5) clarifying that the bill's notice provisions only preempt state laws that apply to entities that are actually covered by the bill. The Committee also adopted, without objection, two amendments offered by Senator Schumer. The first amendment creates an Office of Federal Identity Theft Protection within the FTC, to provide direct assistance to victims of identity theft. The Office of Federal Identity Theft Protection will, among other things, help consumers to restore their credit and access remedies under State and Federal laws and provide consumers with a uniform certification to establish that they have been victims of identity theft and are eligible for assistance. The second amendment requires that data brokers must be able to track who has access to records containing sensitive personal information and to verify that their customers who seek to access sensitive personal information are accessing this information for a legal purpose. In addition, the Committee adopted, without objection, an amendment offered by Senator Cardin to require that companies that use information provided by a data broker, and then take an adverse action based upon that information, notify the consumer adversely affected by the information and provide the consumer with an opportunity to access and correct the information. This amendment is based upon similar requirements in the Fair Credit Reporting Act. The Committee rejected by voice vote an amendment offered by Senator Coburn which would change the trigger for notification in S. 495 from ``significant risk of harm'' to ``significant risk of identity theft.'' Lastly, the Committee adopted, by voice vote, an amendment offered by Senator Whitehouse to exempt bankruptcy debtors from Section 707(b)(2) means testing under the Bankruptcy Abuse Prevention and Consumer Protection Act, if the debtor's financial problems were caused by identity theft. The narrowly- tailored amendment requires that, to be eligible for this exemption, the identity theft must result in at least $20,000 in debt in one year, 50 percent of the debtor's bankruptcy claims, or 25 percent of the debtor's gross income for a 12- month period. The Committee favorably reported S. 495, as amended, by voice vote. III. Section-by-Section Summary of the Bill TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY Section 101--Organized criminal activity in connection with unauthorized access to personally identifiable information Section 101 amends 18 U.S.C. Sec. 1961(1) to add intentionally accessing a computer without authorization to the definition of racketeering activity. Section 102--Concealment of security breaches involving personally identifiable information Section 102 makes it a crime for a person who knows of a security breach requiring notice to individuals under Title III of this Act, and of the obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both. Section 103--Review and amendment of federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information Section 103 requires the U.S. Sentencing Commission to review and, if appropriate, amend the federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for the offense of identity theft or any offense under 18 U.S.C. Sec. Sec. 1028, 1028A, 1030, 1030A, 2511 and 2701. Section 104--Effects of identity theft on bankruptcy proceedings Section 104 amends 11 U.S.C. Sec. Sec. 101 and 707(b) to exempt debtors from Section 707(b)(2) means testing under the Bankruptcy Abuse Prevention and Consumer Protection Act, if the debtor's financial problems were caused by identity theft. This Section requires that, to be eligible for this exemption, the identity theft must result in at least $20,000 in debt in one year, 50 percent of the debtor's bankruptcy claims, or 25 percent of the debtor's gross income for a 12-month period. The purpose of this provision is to ensure that victims who incur debts due to identity theft have all available protections under the bankruptcy code. TITLE II--DATA BROKERS Title II addresses the data brokering industry that has come of age, prompted by technology developments and changes in marketplace incentives. Data brokers collect and sell billions of private and public records about individuals, including personal, financial, insurance, medical and ``lifestyle'' data, as well as other sensitive information, such as details on neighbors and relatives, or even digital photographs of individuals. Companies like ChoicePoint, LexisNexis and Acxiom, which are generally regarded as leaders in this industry, use this information to provide a variety of products and services, including fraud prevention, identity verification, background screening, risk assessments, individual digital dossiers and tools for analyzing data. Although some of the products and services offered by data brokers are subject to existing privacy and security protections aimed at credit reporting agencies and the financial industry under the Fair Credit Reporting Act (``FCRA'') and Gramm-Leach-Bliley (``GLB''), many are not subject to such protections. In addition, there has been insufficient oversight of the industry's practices, including the accuracy and handling of sensitive data. These concerns have been highlighted by numerous reports of harm caused by inaccurate data records. This Title draws from the principles in FCRA and GLB to close these loopholes. Section 201--Transparency and accuracy of data collection Section 201 applies disclosure and accuracy requirements to data brokers that engage in interstate commerce and offer any product or service to third parties that allows access to, or use, compilation, distribution, processing, analyzing or evaluating of personally identifiable information. Section 201 requirements are not applicable to products and services already subject to similar disclosure and accuracy provisions under FCRA and GLB, and implementing regulations. Section 201 requires data brokers to disclose to individuals, upon their request and for a reasonable fee, all personal electronic records pertaining to that individual that the data broker maintains for disclosure to third parties. Section 201 also requires data brokers to establish a fair process for individuals to dispute, flag or correct inaccuracies in any information that was not obtained from a licensor or public record. Modeled after Section 611 of FCRA, Section 201 requires data brokers to: (1) investigate disputed information within 30 days; (2) notify any data furnishers who provided disputed information and identify such data furnishers to the individual disputing the information; (3) provide notice to individuals on dispute resolution procedures and the status of dispute investigations, including whether the dispute was determined to be frivolous or irrelevant, whether the disputed information was confirmed to be accurate, or whether the disputed information was deleted as inaccurate; and (4) allow individuals to include a statement of dispute in the electronic records containing the disputed personal information. If the information was obtained from a licensor or public record, the data broker must provide the individual with contact information for the source of the data. Section 201 also provides that, under circumstances where a person or business takes an adverse action regarding a consumer, which is based in whole or in part on data maintained by a data broker, the person or business must notify the consumer in writing of the adverse action and provide contact information for the data broker that furnished the information, a copy of the information at no cost and the procedures for correcting such information. Section 202--Enforcement A data broker that violates the access and correction provisions of Section 201 is subject to penalties of $1,000 per violation per day with a maximum penalty of $250,000 per violation. A data broker that intentionally or willfully violates these provisions is subject to additional penalties of $1,000 per violation per day, with a maximum of an additional penalty of $250,000 per violation. The Federal Trade Commission (``FTC'') will enforce Section 202 and may bring an enforcement action to recover penalties under this provision. States have the right to bring civil actions under this Section on behalf of their residents in U.S. district courts, and this section requires that States provide advance notice of such court proceedings to the FTC, where practicable. The FTC also has the right to stay any state action brought under this Section and to intervene in a state action. Section 203--Relation to State laws Section 203 preempts State laws with respect to the access and correction of personal electronic records held by data brokers. Section 204--Effective date Section 204 provides that Title II will take effect 180 days after the date of the enactment of the Personal Data Privacy and Security Act. TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM Section 301--Purpose and applicability of data privacy and security program Section 301 addresses the data privacy and security requirements of Section 302 for business entities that compile, access, use, process, license, distribute, analyze or evaluate personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Section 301 exempts from the data privacy and security requirements of Section 302 businesses already subject to, and complying with, similar data privacy and security requirements under GLB and implementing regulations, as well as examination for compliance by Federal functional regulators as defined in GLB, and HIPPA regulated entities. Section 302--Requirements for a data privacy and security program Section 302 requires covered business entities to create a data privacy and security program to protect and secure sensitive data. The requirements for the data security program are modeled after those established by the Office of the Comptroller of the Currency for financial institutions in its Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005). A data privacy and security program must be designed to ensure security and confidentiality of personal records, protect against anticipated threats and hazards to the security and integrity of personal electronic records, protect against unauthorized access and use of personal records, and ensure proper back-up storage and disposal of personally identifiable information. In addition, Section 302 requires a covered business entity to: (1) regularly assess, manage and control risks to improve its data privacy and security program; (2) provide employee training to implement its data privacy and security program; (3) conduct tests to identify system vulnerabilities; (4) ensure that overseas service providers retained to handle personally identifiable information, but which are not covered by the provisions of this Act, take reasonable steps to secure that data; and (5) periodically assess its data privacy and security program to ensure that the program addresses current threats. Section 302 also requires that the data security program include measures that allow the data broker (1) to track who has access to sensitive personally identifiable information maintained by the data broker and (2) to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information. Section 303--Enforcement Section 303 gives the FTC the right to bring an enforcement action for violations of Sections 301 and 302 in Subtitle A. Business entities that violate sections 301 and 302 are subject to a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation. Intentional and willful violations of these sections are subject to an additional civil penalty of $5,000 per violation, per day and an additional maximum penalty of $500,000 per violation. This section also grants States the right to bring civil actions on behalf of their residents in U.S. district courts, and requires States to give advance notice of such court proceedings to the FTC, where practicable. There is no private right of action under this subtitle. Section 304--Relation to other laws Section 304 preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. The requirements referred to in this Section are the same requirements set forth in Section 302. SUBTITLE B--SECURITY BREACH NOTIFICATION Section 311--Notice to individuals Section 311 requires that a business entity or federal agency give notice to an individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, compromised, following the discovery of a data security breach. The notice required under Section 311 must be made without unreasonable delay. Section 311(b) requires that a business entity or federal agency that does not own or license the information compromised as a result of a data security breach notify the owner or licensee of the data. The owner or licensee of the data would then provide the notice to individuals as required under this Section. However, agreements between owners, licensees and third parties regarding the obligation to provide notice under Section 311 are preserved. Section 312--Exemptions Section 312 allows a business entity or federal agency to delay notification by providing a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation, or damage national security. This provision further requires that the Secret Service must review all certifications from business entities (and may review certifications from agencies) seeking an exemption from the notice requirements based upon national security or law enforcement, to determine if the exemption sought has merit. The Secret Service has 10 business days to conduct this review, which can be extended by the Secret Service if additional information is needed. Upon completion of the review, the Secret Service must provide written notice of its determination to the agency or business entity that provided the certification. If the Secret Service determines that the exemption is without merit, the exemption will not apply. Section 312 also prohibits federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition. Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised, from the notice requirements of Section 311, provided that: (1) the business entity or federal agency notifies the Secret Service of the results of the risk assessment within 45 days of the security breach and (2) the Secret Service does not determine within 10 business days of receipt the notification that a significant risk of harm does in fact exist and that notice of the breach should be given. Under Section 312(b) a rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm. Section 312(c) also provides a financial fraud prevention exemption from the notice requirement, if a business entity has a program to block the fraudulent use of information--such as credit card numbers--to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption. Section 313--Methods of notice Section 313 provides that notice to individuals may be given in writing to the individual's last known address, by telephone or via email notice, if the individual has consented to email notice. Media notice is also required if the number of residents in a particular state whose information was, or is reasonably believed to have been compromised exceeds 5,000 individuals. Section 314--Content of notification Section 314 requires that the notice detail the nature of the personally identifiable information that has been compromised by the data security breach, a toll free number to contact the business entity or federal agency that suffered the breach, and the toll free numbers and addresses of major credit reporting agencies. Section 314 also preserves the right of States to require that additional information about victim protection assistance be included in the notice. Section 315--Coordination of notification with credit reporting agencies Section 315 requires that, for situations where notice of a data security breach is required for 5,000 or more individuals, a business entity or federal agency must also provide advance notice of the breach to consumer reporting agencies. Section 316--Notice to law enforcement Section 316 requires that business entities and federal agencies notify the Secret Service of the fact that a security breach occurred within 14 days of the breach, if the data security breach involves: (1) more than 10,000 individuals; (2) a database that contains information about more than 1 million individuals; (3) a federal government database; or (4) individuals known to be government employees or contractors involved in national security or law enforcement. The Secret Service is responsible for notifying other federal law enforcement agencies, including the FBI, and the relevant State Attorneys General within 14 days of receiving notice of a data security breach. Section 317--Enforcement Section 317 allows the Attorney General to bring a civil action to recover penalties for violations of the notification requirements in Subtitle B. Violators are subject to a civil penalty of up to $1,000 per day, per individual and a maximum penalty of $1 million per violation, unless the violation is willful or intentional. Section 318--Enforcement by State Attorneys General Section 318 allows State Attorneys General to bring a civil action in U.S. district court to enforce Subtitle B. The Attorney General may stay, or intervene in, any state action brought under this subtitle. Section 319--Effect on Federal and State law Section 319 preempts state laws on breach notification, with the exception of state laws regarding providing consumers with information about victim protection assistance that is available to consumers in a particular State. Because the breach notification requirements in the bill do not apply to state and local government entities, this provision does not preempt state or local laws regarding the obligations of state and local government entities to provide notice of a data security breach. Section 320--Authorization of appropriations Section 320 authorizes funds for the Secret Service as may be necessary to carry out investigations and risk assessments of security breaches under the requirements of Subtitle B. Section 321--Reporting on risk assessment exemptions Section 321 requires that the Secret Service report to Congress on the number and nature of data security breach notices invoking the risk assessment exemption and the number and nature of data security breaches subject to the national security and law enforcement exemptions. Section 322--Effective date Subtitle B takes effect 90 days after the date of enactment of the Personal Data Privacy and Security Act. SUBTITLE C--OFFICE OF FEDERAL IDENTITY PROTECTION Section 331--Office of Federal Identity Protection Section 331 establishes an Office of Federal Identity Protection within the FTC, to assist consumers with identity theft issues and concerns, including helping consumers correct their personal information and retrieve stolen information. The Office of Federal Identity Protection's activities will also include, providing a website dedicated to assisting consumers with identity theft matters, providing a toll free number to assist consumers, providing guidance and information on obtaining pro bono legal services for victims of identity theft, and issuing certifications to victims of identity theft that can be used to, among other things, establish eligibility for fraud alert and reporting protections under the Fair Credit Reporting Act. TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA Section 401--General Services Administration review of government contracts Section 401 requires the General Services Administration (GSA), when issuing contracts for more than $500,000, to review and consider government contractors' programs for securing the privacy and security of personally identifiable information, contractors' compliance with such programs, and any data security breaches of contractors' systems and the responses to those breaches. In addition, GSA is required to include penalties in contracts involving personally identifiable information for (1) failure to comply with Subtitle A (Data Privacy and Security Programs) and Subtitle B (Security Breach Notification) of Title III of this Act and (2) knowingly providing inaccurate information. Section 401 also requires that GSA include a contract requirement that government contractors exercise due diligence in selecting service providers that handle personally identifiable information and that government contractors take reasonable steps to select service providers that maintain appropriate data privacy and security safeguards. Section 402--Requirement to audit information security practices of contractors and third party business entities Section 402 amends 44 U.S.C. Sec. 3544 to require that federal agencies audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of government agencies. Section 403--Privacy impact assessment of Government use of commercial information services containing personally identifiable information Section 403(a) updates the E-Government Act of 2002 to require federal departments and agencies that purchase or subscribe to personally identifiable information from a commercial entity, to conduct privacy impact assessments on the use of those services. In addition, Section 403(b) requires federal departments and agencies that use such services to publish a description of the database, the name of the provider and the contract amount. Section 403 also requires that federal departments and agencies adopt regulations that specify the personnel allowed to access government databases containing personally identifiable information and the standards for ensuring, among other things, the legitimate government use of such information, the retention and disclosure of such information, and the accuracy, relevance, completeness and timeliness of such information. Section 403 further provides that federal departments and agencies must include in contracts for more than $500,000 and agreements with commercial data services, penalty provisions for circumstances where a data broker delivers personally identifiable information that it knows to be inaccurate, or has been informed is inaccurate and is in fact inaccurate. Section 403(c) also requires that data brokers that engage service providers, who are not subject to the data security program requirements of the bill, exercise due diligence in retaining these service providers to ensure that adequate safeguards for personally identifiable information are in place. Section 403(d) directs the Government Accountability Office to conduct a follow-up study and report to Congress on federal agency use of commercial databases, including the impact of such use on privacy and security, sufficiency of privacy and security protections, and the extent to which commercial data providers are penalized for privacy and security failures. Section 404--Implementation of Chief Privacy Officer requirements Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 requires each agency to create a Chief Privacy Officer. Section 404 facilitates the efficient and effective implementation of this requirement by directing the Department of Justice to implement this provision by designating a Department-wide Chief Privacy Officer, whose primary role is to fulfill the duties and responsibilities of Chief Privacy Officer. In addition, the DOJ Chief Privacy Officer will report directly to the Deputy Attorney General. Section 404 also stipulates responsibilities for the DOJ Chief Privacy Officer that are tailored to the mission of the Department and the requirements of this Act. Specifically, this Section directs the Chief Privacy Officer to: (1) oversee DOJ's implementation of the privacy impact assessment requirement under Section 402; (2) promote the use of law enforcement technologies that sustain, rather than erode, privacy protections and ensure technologies relating to the use, collection and disclosure of personally identifiable information preserve privacy and security; and (3) coordinate implementation with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004. IV. Congressional Budget Office Cost Estimate May 17, 2007. Hon. Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 495, the Personal Data Privacy and Security Act of 2007. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Peter R. Orszag. Enclosure. S. 495--Personal Data Privacy and Security Act of 2007 Summary: S. 495 would establish new federal crimes relating to the unauthorized access of sensitive personal information. The bill also would require most government agencies or business entities that collect, transmit, store, or use personal information to notify any individuals whose information has been unlawfully accessed. In addition, S. 495 would require data brokers to allow individuals access to their electronic records and publish procedures for individuals to respond to inaccuracies. Finally, the bill would establish the Office of Federal Identity Protection (OFIP) within the Federal Trade Commission (FTC) to assist victims of identity theft to restore the accuracy of their personal information. Assuming appropriation of the necessary amounts, CBO estimates that implementing the provisions of S. 495 would cost $30 million in 2008 and $335 million over the 2008-2012 period. Enacting S. 495 could increase civil and criminal penalties and thus could affect federal revenues and direct spending, but CBO estimates that such effects would not be significant in any year. Further, enacting S. 495 could affect direct spending by agencies not funded through annual appropriations. CBO estimates, however, that any changes in net spending by those agencies would be negligible. S. 495 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the cost of complying with the requirements would be small and would not exceed the threshold established in UMRA ($66 million in 2007, adjusted annually for inflation). S. 495 would impose several private-sector mandates as defined in UMRA. The bill would impose data security standards and procedures, and notification requirements on certain private-sector entities. In addition, it would require data brokers to provide individuals with their personally identifiable information if requested, and to change the information if it is incorrect. Finally, the bill would require any entity taking an adverse action against an individual based on information maintained by a data broker to notify the individual of that action. Because of uncertainty about the number of entities that are already in compliance with the data security and notification mandates, CBO cannot estimate the incremental cost of complying with those mandates. Further, the number of requests for information and the incidence of adverse actions that would occur under the bill are uncertain. Consequently, CBO cannot determine whether the aggregate direct cost of mandates in the bill would exceed the annual threshold established by UMRA for private-sector mandates ($131 million in 2007, adjusted annually for inflation). Estimated cost to the Federal Government: The estimated budgetary impact of S. 495 is shown in the following table. The costs of this legislation fall within budget functions 370 (commerce and housing credit), 750 (administration of justice), and 800 (general government). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- -------------------------------------------- 2008 2009 2010 2011 2012 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION FTC Office of Federal Identity Protection: Estimated Authorization Level.................................. 33 66 69 73 76 Estimated Outlays.............................................. 30 63 69 72 76 Other Provisions: Estimated Authorization Level.................................. 3 5 7 7 7 Estimated Outlays.............................................. 1 3 7 7 7 Total Changes: Estimated Authorization Level.............................. 36 71 76 80 83 Estimated Outlays.......................................... 31 66 76 79 83 ---------------------------------------------------------------------------------------------------------------- Basis of Estimate: For this estimate, CBO assumes that the bill will be enacted during fiscal year 2007, that the necessary amounts will be provided each year, and that spending will follow historical patterns for similar programs. Spending subject to appropriation S. 495 would require most government agencies or business entities that collect, transmit, store, or use personal information to notify any individuals whose information has been unlawfully accessed. The bill also would establish the Office of Federal Identity Protection within the FTC to help victims of identity theft correct their personal records. CBO estimates that implementing the provisions of S. 495 would cost $335 million over the 2008-2012 period, assuming appropriation of the necessary amounts. Security Breach Notification. In the event of a security breach of government information likely to involve personal information, S. 495 would require government agencies to notify an individual whose information may have been compromised. The legislation defines personal information as a combination of a person's name or financial information with any additional unique identifier. Notification would be in the form of individual notice (written notice to a home mailing address or via e-mail) as well as through the mass media and credit- reporting agencies if the security breach affects more than 5,000 individuals. The legislation also would require the agency to provide affected individuals with a description of the accessed information, a toll-free number to contact the agency, the names and toll-free telephone numbers of the major credit-reporting agencies, and information regarding state victim assistance protections. The Federal Information Security Management Act of 2002 sets requirements for securing the federal government's information systems, including the protection of personal privacy. The National Institute of Standards and Technology develops information security standards and guidelines for other federal agencies, and the Office of Management and Budget (OMB) oversees information technology security policies and practices. OMB estimates that federal agencies spend around $5.5 billion a year to secure the government's information systems. S. 495 would codify the current practices of the federal government regarding data security and security breach notification procedures. While existing laws generally do not require agencies to notify affected individuals of data breaches, agencies that have experienced security breaches have generally provided such notification. Therefore, CBO expects that codifying this practice would probably not lead to a significant increase in spending. Nonetheless, the federal government is also one of the largest providers, collectors, consumers, and disseminators of personnel information in the United States. Although, CBO cannot anticipate the number of security breaches, a significant breach of security involving a major collector of personnel information, such as the Internal Revenue Service or the Social Security Administration, could involve millions of individuals and there would be significant costs to notify individuals of such a security breach. S. 495 also would require a business entity or agency-- under certain circumstances-to notify the Secret Service that a security breach has occurred. The bill also would permit entities or agencies to apply to the Secret Service for exemption from the bill's notice requirements if the personal data was encrypted or similarly protected or if notification would threaten national security. Based on information from the Secret Service, CBO estimates that any additional investigative or administrative costs to that agency would likely be less than $500,000 annually, subject to the availability of appropriated funds. Federal Trade Commission. The bill would establish the Office of Federal Identity Protection (OFIP) within the FTC. The OFIP would be responsible for providing individuals with information and assistance when their personal information has been stolen or compromised. Individuals would be able to request assistance that would include accessing remedies available under federal law, restoring the accuracy of personal information, and retrieving stolen information. FTC would be required to develop regulations to enable the OFIP to help restore stolen or otherwise compromised information. Under current law, the FTC provides general assistance to individuals who call a toll-free number with questions about identity theft or who believe they are the victim of identity theft. Counselors are trained to provide information regarding steps consumers must take to restore the accuracy of their personal information; FTC has entered into a contract with an independent call center to provide assistance and be reimbursed based on the time of each call. This toll-free system received approximately 200,000 complaints in 2006, as well as about 90,000 calls for general information. By requiring the FTC to develop customer-service teams to provide a higher level of assistance than is offered under current law, CBO expects that the amount of time counselors spend with each individual would increase significantly. Under the bill, counselors, rather than the individual, would be expected to take the necessary steps to restore the accuracy of an individual's personal information and any records containing that information that were stolen or compromised. To accomplish this, counselors would spend more time on the phone with individuals collecting relevant information and make additional calls to creditors and credit-reporting agencies to alert them to the compromised information in their records. Currently, counselors spend an average of eight minutes per call answering questions and suggesting follow-up actions the individual must take to correct his or her personal information. The FTC has estimated that S. 495 would increase the amount of time counselors spend on the phone from eight minutes to more than two hours (including calls to an individual and calls to creditors and credit-reporting agencies). CBO expects that call volume also would increase as individuals become aware of the additional assistance available. Assuming appropriation of the necessary amounts, CBO estimates that the additional time counselors spend on the phone with individuals, creditors, and credit-reporting agencies would cost about $30 million in 2008 and $310 million over the 2008-2012 period. Other provisions of the bill would require the FTC to develop and enforce provisions that would require data brokers to allow individuals to access their personal information and provisions that would require companies to assess the vulnerability of their data systems. FTC would be authorized to collect civil penalties for violations of those new regulations. CBO estimates that implementing those provisions would have no significant effect on spending. Other Provisions. S. 495 also would require several reports to the Congress by federal agencies concerning data security issues. The legislation would require agencies to conduct additional privacy impact assessments on commercially purchased private-sector data that contains personally identifiable information. Under the bill, the Government Accountability Office would report to the Congress on federal agencies' use of private-sector information. In addition, the General Services Administration (GSA) would provide additional security assessments for certain government contracts involving personally identifiable information. This would largely involve payroll processing, emergency response and recall, and medical data. Based on information from OMB and GSA, CBO estimates that the additional staff to fulfill those tasks and reporting requirements under the legislation would cost $7 million annually when fully implemented. For this estimate, we assume that the implementation process would take about three years. Direct spending and revenues S. 495 would establish new federal crimes relating to the unauthorized access of sensitive personal information. Enacting the bill could increase collections of civil and criminal fines for violations of the bill's provisions. CBO estimates that any additional collections would not be significant because of the relatively small number of additional cases likely to be affected. Civil fines are recorded as revenues. Criminal fines are recorded as revenues, deposited in the Crime Victims Fund, and subsequently spent without further appropriation. Estimated impact on state, local, and tribal governments: S. 495 contains intergovernmental mandates as defined in UMRA. Specifically, S. 495 would:Preempt state laws in 35 states regarding the treatment of personal information; Place certain procedural requirements and limitations on state attorneys general and state insurance authorities; and Preempt state or local law by requiring state and local jurisdictions to accept a certification by the Office of Federal Identity Protection to grant individuals access to business records used in fraudulent transactions. The preemptions would impose no costs on states. CBO estimates that the costs to attorneys general of complying with the procedural requirements would be small and would not exceed the threshold established in UMRA ($66 million in 2007, adjusted annually for inflation). Estimated impact on the private sector: S. 495 would impose several private-sector mandates as defined in UMRA. The bill would: Require certain entities to establish and maintain a data privacy and security program; Require entities engaged in interstate commerce to notify individuals if a security breach occurs in which such individuals' sensitive, personally identifiable information is compromised; Require data brokers to provide individuals with their personally identifiable information and to change the information if it is incorrect; and, Require any entity taking an adverse action against an individual based on information obtained from a database maintained by a data broker to the individual of that action. Because of uncertainty about the number of entities that are already in compliance with the data security and notification mandates, CBO cannot estimate the incremental cost of complying with those mandates. Further, the number of requests for information and the incidence of adverse actions that would occur under the bill are uncertain. Consequently, CBO cannot determine whether the aggregate direct cost of mandates in the bill would exceed the annual threshold established by UMRA for private-sector mandates ($131 million in 2007, adjusted annually for inflation). Data privacy and security requirements Subtitle A of title III would require certain business entities engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive, personally identifiable information in electronic or digital form on more than 10,000 individuals to establish and maintain a data privacy and security program. The bill would direct the FTC to develop rules that identify privacy and security requirements for business entities. Business entities would be required to conduct risk assessments to identify possible security risks in establishing the program. They also would have to conduct periodic vulnerability testing on their programs. Additionally, entities would have to train their employees. Some entities would be exempt from the requirements of subtitle A. These include certain financial institutions that are subject to the data security requirements under the Gramm- Leach-Bliley Act and entities that are subject to the data security requirements of the Health Insurance Portability and Accountability Act. The per-entity cost of the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and the amount of sensitive, personally identifiable information maintained by the entity. According to industry and government sources, many states already have laws requiring business entities to utilize data security programs, and moreover, it is the current practice of many businesses to use security measures to protect sensitive data. However, because of uncertainty about the number of entities that are already in compliance with the data security mandates, CBO cannot estimate the incremental cost of complying with those mandates. Security breach notification Subtitle B of title III would require certain business entities engaged in interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information to notify individuals in the event of a security breach if the individuals' sensitive, personally identifiable information is compromised. Entities would be able to notify individuals using written letters, the telephone, or email under certain circumstances. The bill also would require those entities to notify the owner or licensee of any such information that the entity does not own or license. The bill, however, would exempt business entities from the notification requirements under certain circumstances. Business entities would be required to notify other entities and agencies in the event of a large security breach. The additional notification requirements are: If more than 5,000 individuals are affected by a security breach, the entities would be required to notify appropriate consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. If more than 5,000 individuals are affected by a security breach in a state, the entity would be required to notify major media outlets serving that state or jurisdiction. Entities would be required to notify the Secret Service if: --More than 10,000 individuals are affected by a security breach. --A security breach involves a database that contains sensitive, personally identifiable information on more than one million people. --A security breach involves databases owned by the federal government. --A security breach involves sensitive, personally identifiable information of employees or contractors of the federal government involved in national security or law enforcement. According to industry and government sources, millions of individuals' sensitive personally identifiable information is illegally accessed every year. However, according to those sources, 38 states already have laws requiring notification in the event of a security breach. In addition, it is the current practice of many business entities to notify individuals in the event of a security breach. Because of uncertainty about the number of entities that are already in compliance with the notification mandates, CBO cannot estimate the incremental cost of complying with the notification requirement under the bill. Requirements for data brokers Section 201 would require certain data brokers to disclose all personal electronic records relating to an individual that are kept primarily for third parties if requested by the individual. The bill defines a data broker as a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive, personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis. Additionally, if an individual disputes the accuracy of the information that is contained in the data brokers' records, the data brokers would be required to change the information or provide the individual with contact information for the source from which they obtained the individual's information. Data brokers could determine that some requests to change an individual's information are frivolous. However, the data brokers would be required to notify any individual requesting a change of information of the action taken. The cost of providing records upon request depends on the costs of gathering and distributing the information to individuals and the number of individuals requesting their information. Under the bill, data brokers would be allowed to charge a reasonable fee for this service. Data brokers would likely be able to cover their costs of providing individuals with their personal information with the fee they could charge. The cost to data brokers of having to change individuals' information and notifying the individuals could be large. According to information from industry sources, however, some data brokers already correct information based on the individual requests. Because of uncertainty about the number of individuals who would request information under the bill and as a result of those requests, the amount of information that would need to changed, CBO cannot estimate the cost of this mandate. Adverse actions using information from data brokers The section also would require any entity taking an adverse action with respect to an individual based on information contained in a personal electronic record maintained, updated, owned, or possessed by a data broker to notify the individual of the adverse action. The notification can be written or electronic and must include certain information about the data broker. While the per-individual cost of notification would be small, the cost of complying with the mandate would depend on the number of adverse actions that would be taken against individuals by entities. CBO does not have enough information about the incidence of such actions to determine the direct cost of complying with the mandate. Estimate prepared by: Federal costs: Federal Agencies-- Matthew Pickford; Federal Trade Commission--Susan Willie; U.S. Secret Service--Mark Grabowicz. Impact on state, local, and tribal governments: Elizabeth Cove. Impact on the private sector: Paige Piper/Bach. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. V. Regulatory Impact Evaluation In compliance with rule XXVI of the Standing Rules of the Senate, the Committee finds that no significant regulatory impact will result from the enactment of S. 495. VI. Conclusion The Personal Data Privacy and Security Act of 2007, S. 495, provides greatly-needed privacy protections to American consumers, to ensure that all Americans have the tools necessary to protect themselves from identity theft and other data security risks. This legislation will also ensure that the most effective mechanisms and technologies for dealing with the underlying problem of lax data security are implemented by the Nation's businesses to help prevent data breaches from occurring in the first place. The passage and enactment of this important privacy legislation is long overdue. VII. Additional Views ADDITIONAL VIEWS OF SENATOR SESSIONS This legislation deals with two issues that are very important to me and to the citizens of Alabama: data security and identity theft. I commend my colleague, Senator Shelby, for his efforts to address this issue through the Senate Banking Committee. In fact, as discussed in greater detail below, some of the items that S. 495 addresses fall within the jurisdiction of the Senate Banking Committee, and are inappropriate topics for Senate Judiciary Committee legislation. I fully support many of the purported goals of this legislation: the protection of sensitive personal information by entities that have custody of it; and providing consumers with the ability to protect themselves in the event that a data breach could lead to a significant risk of identity theft. I believe this risk-based standard is essential if we are to avoid defeating the purpose for which the legislation has been designed to address. Unfortunately, I cannot support S. 495 and fear that it not only strays too far from these core objectives, but the manner in which it is crafted will likely have significant negative impacts on the consumer, and eventually the economy at large. While I commend the Chairman's efforts in this area, I feel that S. 495 is not the most effective, well drafted effort from the Judiciary Committee on this issue. This legislation not only contains a number of potentially harmful policy decisions, but it also has some significant drafting flaws as well. These problems will reduce protections for consumers, increasing their chances of becoming victims of identity theft by undermining fraud detection and authentication tools, making them less reliable. Additionally, they will lead to over- notification of consumers when data breaches occur, thereby diluting the effectiveness of consumer notice. Finally, I believe S. 495 creates internally inconsistent and confusing burdens on companies, with no quantifiable benefit to the consumer. BACKGROUND Identity theft is a very important issue facing America today, and both business and government has spent a tremendous amount of time and effort to understand and combat this crime. For instance, law enforcement at the federal, state and local levels have started to cooperate more with each other, and with international law enforcement, to pursue the perpetrators of these crimes. Similarly, as noted in detail by the President's Identity Theft Task Force Report, released after 10 months of study on April 11, 2007, the business community, which ultimately bears the major financial cost of credit fraud associated with identity theft,\16\ has spent literally billions of dollars enhancing data security, building better ways to detect and stop fraud and identity theft before it occurs, and working with victims. These efforts are starting to pay off. Consider the following: --------------------------------------------------------------------------- \16\ President's ID Theft Task Force Report: Combating Identity Theft, A Strategic Plan, p. 11a. --------------------------------------------------------------------------- Identity theft complaints were down 3.7% in 2006, and credit card complaints have been declining, as well, down 18.75% between 2003 and 2005. Fraudulent new account openings for credit cards have decreased most significantly since the first year that the FTC gathered statistics, down 19.17% between 2003 and 2005. FTC survey data shows a downward trend in total victims from 10.1 million in 2002 to 8.9 million in 2005, an 11.9% reduction; and FTC data show that complaints in a variety of key categories have held steady or dropped between 2003 and 2005. While the problems of identity theft are still too big, and need to be addressed, progress is being made. The goal of legislation to address these issues, therefore, should be to build upon the success that consumers, law enforcement and business have already started to achieve, not to undermine that progress. Therefore, the first step in addressing this issue is to ensure that consumers have the tools to protect themselves in the event of a data breach. Americans need to know that when information pertaining to them is compromised in a way that may jeopardize their identities, they will be notified. Without such a risk-based notice, they will be aware that they need to take steps to protect their identities after a data breach occurs. This straddle between the occurrences of a breach and when consumers should be notified is a critical issue that needed to be effectively addressed through legislation, and yet it did not happen. We know from the experience of the Gramm- Leach-Bliley Act (GLBA) that over-notification leads to consumer apathy, with the results that consumers are exposed to increasing risks. This problem, however, was not adequately addressed by S. 495. In addition, Congress should build upon the statutes already in place to ensure that companies who hold sensitive personal data take reasonable steps to protect that data. In this respect, I commend the Chairman for extending the GLBA Safeguards Rule to non-financial entities. Consumers deserve to have data that pertains to them protected, no matter whether the custodian is a financial institution, a retailer, or a non- profit. Adoption of a targeted bill aimed at data security and consumer notification is the proper solution. S. 495 goes far beyond that and lessens the likelihood that legislation will pass and that consumers will be better protected. S. 1326, THE NOTIFICATION OF RISK TO PERSONAL DATA ACT (109TH CONGRESS) REINTRODUCED AS S. 1202, THE PERSONAL DATA PROTECTION ACT (110TH CONGRESS) I first introduced legislation to address this issue in 2005 in response to massive data security breaches at major companies, and the potential injury those breaches generated. That bill, the Notification of Risk to Personal Data Act (S. 1326), was reported by the Senate Judiciary Committee by unanimous consent on October 20, 2005. Once reported by the Committee, however, no floor action was taken in the 109th Congress on that or any other bill which addressed data security. Part of the reason was the presence of several bills that sought to go well beyond the problem of data security and notification. With the reporting of S. 495 and the defeat of S. 1202 because, according to the Chairman, it did not hold industry ``accountable enough,'' we are running the risk of a repeat of that political gridlock, and consumers will doubtless suffer from our inaction. The need for legislation in this area has not abated. Indeed, with the publicity of recent breaches, it has only increased. On April 24, 2007, I introduced the Personal Data Protection Act (S. 1202), which would effectively combat the problems of security breaches in three ways. First, the bill requires all companies, regardless of industry, to install security procedures and practices, so that sensitive personal information is protected--if a company is going to hold sensitive personal information, it has the duty to protect it. Second, it provides consumers with a uniform, risk-based notice and standard in the event of a security breach, balancing the need to notify consumers when a breach has occurred with the very real possibility that over-notification may desensitize consumers from real threats. National standards for security procedures and notification procedures are imperative both for consumers and the businesses that have to comply with those standards. Third, it contains reasonable compliance standards. An entity that discovers a security breach must send individuals a clear and conspicuous description of the information disclosed and provide a toll-free number for customers to call to obtain further information. The notification would have to have been in writing, or via phone or email, with a few exceptions exist (if sufficient contact information does not exist; if notice would cost more than $250,000; or if more than 500,000 customers must be contacted). We want people to take it seriously when they receive notice of a breach. We know from experience that sending too many notices will lead to public immunization. People will stop heeding the warnings they receive and fail to take proper steps if they are told too many times that they are the victims of a security breach. This result can be avoided by imposing a risk- based notification requirement only when there is a ``significant risk of identity theft.'' Under S. 1202, entities must disclose a security breach when there is a ``significant risk of identity theft to an individual'' caused by the unauthorized disclosure of computerized data. Unlike bills introduced by my colleagues, such as S. 495, my bill does not require notification if the data that is jeopardized could not lead to a significant risk of identity theft. For example, if the data that is stolen cannot be accessed, there is no risk to any individual, and thus no need to require notification. Or, if information stolen is information that is otherwise publicly available, no notice is required. I believe an essential part of preventing harm from these breaches is making consumers aware of the problem. Consumers who find that data pertaining to them has been jeopardized should be alerted so that they can monitor their financial accounts for the risk of identity theft. No one will monitor the situation as thoroughly as the person who would be most affected by having their financial information compromised--the victim themselves. S. 495, THE PERSONAL DATA PRIVACY AND SECURITY ACT Though I support many of the stated goals of this legislation, I have concerns that S. 495 may create a convoluted framework for companies which may result in more harm to consumers than good. 1. The Notice provisions will result in over-notification As a result of the way in which the bill is drafted, I believe over-notification to individuals of non-harmful data breaches is inevitable. Furthermore although the bill attempts to establish a ``safe harbor'' for encrypted or unusable data, the confusing parallel tracks of Sections 311 and 312 will not provide companies with much confidence that the safe harbor will be available to them. Specifically, Section 311(a) requires notification upon the ``discovery'' of a breach, and does not provide a company with the opportunity to determine if the data is in any way causes ``harm'' to consumers. The term ``harm'' is potentially very broad, and the bill does not define it. In fact, when Senator Feinstein was asked during markup what it meant, she was unable to say. Does it mean economic loss? Increased anxiety? Mere inconvenience? We do not know, and neither will the entities who will be obligated to comply with the statute if it should become law. But the potential liability will be substantial. When enacting the law, I believe it is our duty and our responsibility to be precise, and this amorphous term invites abuse and over-application. Further, it is by definition unreasonable to impose a ``risk assessment'' as a precondition to taking advantage of the ``Safe Harbor,'' because the result will be illusory protection. This will result in a flood of notices for data breaches where there is virtually no risk. This will be detrimental to consumers who will inevitably become desensitized to notice and ignore them altogether. 2. The legislation should specifically and completely exempt entities regulated by other federal laws from the provisions of this Act Consumer reporting agencies (CRAs) are already fully regulated under requirements under the Fair Credit Reporting Act (FCRA), and financial institutions are regulated under the Gramm-Leach-Bliley Act. Companies that are already regulated under the FCRA and Gramm-Leach-Bliley (GLB) should be specifically exempt from this Act, and from the definition of ``data broker'' because they are already subject to rigorous data safeguard requirements under these statutes. The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) is a time-tested statute that has received frequent and thoughtful review by Congress, and was most recently updated in 2003, with extensive changes implemented by the FACT Act (Pub. L. 108-159).\17\ --------------------------------------------------------------------------- \17\ That Act contained a number of significant provisions designed to protect consumers and combat identity theft, and I again complement Senator Shelby for his work on that legislation as the then-Chairman of the Senate Banking Committee. --------------------------------------------------------------------------- The requirements laid out in this legislation would create a host of conflicting, inconsistent, unworkable and potentially negative impacts on FCRA-regulated entities, and could have significant negative effects on consumers. Compliance with parallel provisions under the FCRA and the GLBA should constitute compliance with the bill. The bill's requirements for information security already closely track the provisions of the Safeguards Rule. Further, assuming that it was the Committee's intent to exempt FCRA and GLB covered entities from the scope of some provisions of this Act, the exemption crafted by the Judiciary Committee is far from perfect, and would in many cases subject FCRA regulated entities to duplicative and conflicting standards. Rather than having the Judiciary Committee attempt to craft those exemptions, we should defer to the Banking Committee, which has the expertise to determine that the exemptions are as complete as intended. 3. The legislation should fully preempt all state and local laws regarding these issues As a general matter, I believe that there is no reason for the Congress to act in this area if it does not effectively preempt the growing number of state laws now in effect and give protection to consumers in states not now covered by any state law. In this instance, the preemption provisions contained in S. 495 are too narrow. The U.S. has a national economy, and more than half the states have enacted various data security, breach notification and other requirements. Adding a confusing federal standard that is inconsistent not only with state and federal laws, would make compliance very difficult. Accordingly, the preemption standards in this legislation should explicitly preempt all state laws relating to any activity covered under this Act: I would urge replacing this approach with one that preempts ``. . . the subject matter regulated by this Act'' to obtain as broad a preemptive standard as possible. 4. Other issues Before concluding, I would like to comment on a couple of the other provisions in S. 495 that I believe to be inappropriate for a data security and notification bill, and which add, as I mentioned earlier, unnecessary baggage that might be politically attractive to their advocates but which do not ultimately serve the interests of the consumers we are pledged to protect. The first such language appears in the form of the data broker language in Title II of S. 495. Notwithstanding the exemptions incorporated into this title, the Committee makes the definition of who is, or is not, a data broker far too broad, and in so doing risks covering a range of entities not contemplated by the bill. And the result of this inclusion will inevitably be that its sponsors will contribute to increased fraud. It's a fact that fraud detection tools are used by much of the business community, from financial institutions (who understandably use them most frequently) to journalists who use them to locate sources, attorneys to locate witnesses, and parents who use them to conduct background checks on childcare providers. If databases are opened up, as S. 495 envisions, it will be just a matter of time before those databases are accessed by criminals, and the absence, over time, of ``negative'' information, these tools will become less reliable. A second additional element of the bill is Sen. Ben Cardin's amendment, offered for the first time at mark-up and never fully vetted, which requires that any adverse action resulting from information provided by a data broker must require a notification of that adverse action followed by the opportunity to ``access and correct'' that information. This amendment will cause tumult in the business community and has no place in this bill. Last, Sen. Whitehouse used S. 495 as an opportunity to amend the Bankruptcy Abuse Prevention and Consumer Protection Act (Bankruptcy Act), so carefully crafted by this Committee sometime ago. His amendment would adjust the ``means test'' in that statute to exempt debtors who are the victims of identity theft. It is not only non-germane to data security and notification, thus even more baggage the bill will have to carry, but it is also structurally unnecessary. As the lead sponsor of the Bankruptcy Act, Sen. Charles Grassley, so eloquently noted during the markup, the ``special circumstances'' language already contained in the Bankruptcy Act contemplates just this kind of situation, obviating the need for this language but inviting further amendments to adjust the Bankruptcy Act on the Senate Floor. CONCLUSION For these reasons, I dissent from the views and policy represented by S. 495, and I would urge my colleagues to revisit many of the policy and drafting problems created by this bill. Jeff Sessions. VIII. Changes in Existing Law Made by the Bill as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the Committee finds that it is necessary to dispense with the requirement of paragraph 12 to expedite the business of the Senate. APPENDIX PRIVACY RIGHTS CLEARINGHOUSE CHRONOLOGY OF DATA BREACHES AS OF MAY 21, 2007 CHRONOLOGY OF DATA BREACHES [Go to Breaches for 2005, 2006, or 2007] ---------------------------------------------------------------------------------------------------------------- Date made public Name (Location) Type of breach Number of records ---------------------------------------------------------------------------------------------------------------- 2005 ---------------------------------------------------------------------------------------------------------------- Jan. 10, 2005........................ George Mason University Names, photos, and 32,000 (Fairfax, VA). Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server. Jan. 18, 2005........................ Univ. of CA, San Diego A hacker breached the 3,500 (San Diego, CA). security of two University computers that stored the Social Security numbers and names of students and alumni of UCSD Extension. Jan. 22, 2005........................ University of Northern A hard drive was 30,000 Colorado (Greeley, CO). apparently stolen. It contained information on current and former University employees and their beneficiaries--name, date of birth, SSN, address, bank account and routing number. Feb. 12, 2005........................ Science Applications On Jan. 25 thieves 45,000 employees. International Corp. broke into a SAIC (SAIC) (San Diego, CA). facility and stole computers containing names, SSNs, and other personal information of past and current employees. Stolen information included names, NNS, addresses, phone numbers and records of financial transactions. Feb. 15, 2005........................ ChoicePoint Bogus accounts 163,000 (Alpharetta, GA). established by ID thieves. The initial number of affected records was estimated at 145,000 but was later revised to 163,000. UPDATE (1/26/06):...... ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress. UPDATE (12/06/06): The FTC announced that victims of identity theft as a result of the data breach who had out-of-pocket expenses can now be reimbursed. The claims deadline is Feb. 4, 2007. Feb. 18, 2005........................ Univ. of Chicago Dishonest insider...... 85 Hospital (Chicago, IL). Feb. 25 , 2005....................... Bank of America Lost backup tape....... 1,200,000 (Charlotte, NC). Feb. 25, 2005........................ PayMaxx (Miramar, FL).. Exposed online......... 25,000 March 8, 2005........................ DSW/Retail Ventures Hacking................ 100,000 (Columbus, OH). March 10, 2005....................... LexisNexis (Dayton, OH) Passwords compromised.. 32,000 UPDATE (06/30/06): Last week, five men were arrested in connection with this breach. March 11, 2005....................... Univ. of CA, Berkeley Stolen laptop.......... 98,400 (Berkeley, CA). March 11, 2005....................... Kaiser Permanente A disgruntled employee 140 (Oakland, CA). posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information. March 11, 2005....................... Boston College (Boston, Hacking................ 120,000 MA). March 12, 2005....................... NV Dept. of Motor Stolen computer........ [8,900] Not included in Vehicle. UPDATE: The computer total below. was later recovered. March 20, 2005....................... Northwestern Univ. Hacking................ 21,000 (Evanston, IL). March 20, 2005....................... Univ. of NV, Las Vegas Hacking................ 5,000 (Las Vegas, NV). March 22, 2005....................... Calif. State Univ. Hacking................ 59,000 (Chico, CA). March 23, 2005....................... Univ. of CA. (San Hacking................ 7,000 Francisco, CA). March 25, 2005....................... Purdue University (West Computers in the 1,200 (not included in Lafayette, IN). College of Liberal total because news Arts' Theater Dept. stories are not clear were hacked, exposing if SSNs or financial personal information information were of employees, exposed). students, graduates, and business affiliates. April ?, 2005........................ Georgia DMV............ Dishonest insider...... 465,000 April 5, 2005........................ MCI (Ashburn, VA)...... Stolen laptop.......... 16,500 April 5, 2005........................ Univ. of CA, Davis The names and Social 1,100 (Davis, CA). Security numbers of students, faculty, visiting speakers and staff may have been compromised when a hacker accessed a main computer. April 6, 2005........................ University of A server in the 7,000 California, San accounting and Francisco. personnel departments was hacked. It contained information on 7,000 students, faculty, and staff members. The affected individuals were notified March 23. April 8, 2005........................ Eastern National....... Hacker................. 15,000 April 8, 2005........................ San Jose Med. Group Stolen computer........ 185,000 (San Jose, CA). April 11, 2005....................... Tufts University Hacking................ 106,000 (Boston, MA). April 12, 2005....................... LexisNexis (Dayton, OH) Passwords compromised.. Additional 280,000. UPDATE (06/30/06): Last week, five men were arrested in connection with this breach. April 14, 2005....................... Polo Ralph Lauren/HSBC Hacking................ 180,000 (New York, NY). April 14, 2005....................... Calif. Fastrack........ Dishonest Insider...... 4,500 April 15, 2005....................... CA Dept. of Health Stolen laptop.......... 21,600 Services. April 18, 2005....................... DSW/ Retail Ventures Hacking................ Additional 1,300,000. (Columbus, OH). April 20, 2005....................... Ameritrade (Bellevue, Lost backup tape....... 200,000 NE). April 21, 2005....................... Carnegie Mellon Univ. Hacking................ 19,000 (Pittsburg, PA). April 26, 2005....................... Mich. State Univ's Hacking................ 40,000 Wharton Center. April 26, 2005....................... Christus St. Joseph's Stolen computer........ 19,000 Hospital (Houston, TX). April 28, 2005....................... Georgia Southern Univ.. Hacking................ ``tens of thousands''. April 28, 2005....................... Wachovia, Bank of Dishonest insiders..... 676,000 America, PNC Financial Services Group and Commerce Bancorp. April 29, 2005....................... Oklahoma State Univ.... Missing laptop......... 37,000 May 2, 2005.......................... Time Warner (New York, Lost backup tapes...... 600,000 NY). May 4, 2005.......................... CO. Health Dept........ Stolen laptop.......... 1,600 (families). May 5, 2005.......................... Purdue Univ. (West Hacking................ 11,360 Lafayette, IN). May 7, 2005.......................... Dept. of Justice Stolen laptop.......... 80,000 (Washington, D.C.). May 11, 2005......................... Stanford Univ. Hacking................ 9,900 (Stanford, CA). May 12, 2005......................... Hinsdale Central High Hacking................ 2,400 School (Hinsdale, IL). May 16, 2005......................... Westborough Bank Dishonest insider...... 750 (Westborough, MA). May 18, 2005......................... Jackson Comm. College Hacking................ 8,000 (MI). May 18, 2005......................... Univ. of Iowa.......... Hacking................ 30,000 May 19, 2005......................... Valdosta State Univ. Hacking................ 40,000 (GA). May 25, 2005......................... North Carolina Div. of On Feb. 10, an employee None. Motor Vehicles downloaded addresses (Greensboro, NC). of 3.8 million people but was detected and stopped before being able to retrieve more sensitive information such as driver's license numbers. May 26, 2005......................... Duke Univ. (Durham, NC) Hacking................ 5,500 May 27, 2005......................... Cleveland State Univ. Stolen laptop.......... [44,420] Not included (Cleveland, OH). UPDATE (12/24): CSU in total below. found the stolen laptop. May 28, 2005......................... Merlin Data Services Bogus acct. set up..... 9,000 (Kalispell, MT). May 30, 2005......................... Motorola............... Computers stolen....... Unknown. June 6, 2005......................... CitiFinancial.......... Lost backup tapes...... 3,900,000 June 10, 2005........................ Fed. Deposit Insurance Not disclosed.......... 6,000 Corp. (FDIC). June 16, 2005........................ CardSystems............ Hacking................ 40,000,000 June 17, 2005........................ Kent State Univ........ Stolen laptop.......... 1,400 June 18, 2005........................ Univ. of Hawaii........ Dishonest Insider...... 150,000 June 22, 2005........................ Eastman Kodak.......... Stolen laptop.......... 5,800 June 22, 2005........................ East Carolina Univ..... Hacking................ 250 June 25, 2005........................ Univ. of CT (UCONN).... Hacking................ 72,000 June 28, 2005........................ Lucas Cty. Children Exposed by email....... 900 Services (OH). June 29, 2005........................ Bank of America........ Stolen laptop.......... 18,000 June 30, 2005........................ Ohio State Univ. Med. Stolen laptop.......... 15,000 Ctr.. July 1, 2005......................... Univ. of CA, San Diego. Hacking................ 3,300 July 6, 2005......................... City National Bank..... Lost backup tapes...... Unknown. July 7, 2005......................... Mich. State Univ....... Hacking................ 27,000 July 19, 2005........................ Univ. of Southern Calif Hacking................ 270,000 possibly (USC). accessed; ``dozens'' exposed. July 21, 2005........................ Univ. of Colorado-- Hacking................ 49,000 Boulder. UPDATE (08/20/2005): The number of students affected was increased from an estimate of 42,000 to 49,000. July 30, 2005........................ San Diego Co. Employees Hacking................ 33,000 Retirement Assoc.. July 30, 2005........................ Calif. State Univ., Hacking................ 9,613 Dominguez Hills. July 31, 2005........................ Cal Poly-Pomona........ Hacking................ 31,077 Aug. 2, 2005......................... Univ. of Colorado...... Hacking................ 36,000 Aug. 9, 2005......................... Sonoma State Univ...... Hacking................ 61,709 Aug. 9, 2005......................... Univ. of Utah.......... Hacking................ 100,000 Aug. 10, 2005........................ Univ. of North Texas... Hacking................ 39,000 Aug. 17, 2005........................ Calif. State Hacking................ 900 University, Stanislaus. Aug. 19, 2005........................ Univ. of Colorado...... Hacking................ 49,000 Aug. 22, 2005........................ Air Force.............. Hacking................ 33,300 Aug. 27, 2005........................ Univ. of Florida, Stolen Laptop.......... 3,851 Health Sciences Center/ ChartOne. Aug. 30, 2005........................ J.P. Morgan Chase & Co. Stolen laptop (Aug. 8) Unknown. (Dallas, TX). containing personal and financial account information of customers of its private bank. Aug. 30, 2005........................ Calif. State Hacking................ 154 University, Chancellor's Office. Sept. 2, 2006........................ Iowa Student Loan (W. Compact disk containing 165,000 Des Moines). personal information, including SSNs, was lost when shipped by private courier. Sept. 10, 2005....................... Kent State Univ........ Stolen computers....... 100,000 Sept. 15, 2005....................... Miami Univ............. Exposed online......... 21,762 Sept. 16, 2005....................... ChoicePoint (2nd ID thieves accessed; [Total later revised to notice, see 2/15/05) also misuse of IDs & 163,000--see 2/15/05 (Alpharetta, GA). passwords. above] Sept. 17, 2005....................... North Fork Bank, NY.... Stolen laptop (7/24/05) 9,000 with mortgage data. Sept. 19, 2005....................... Children's Health Stolen backup tape..... 5,000-6,000 Council, San Jose CA. Sept. 22, 2005....................... City University of New Exposed online......... 350 York. Sept. 23, 2005....................... Bank of America........ Stolen laptop with info Not disclosed of Visa Buxx users (debit cards). Sept. 28, 2005....................... RBC Dain Rauscher...... Illegitimate access to 100+ customers' records customer data by compromised out of former employee. 300,000 Sept. 29, 2005....................... Univ. of Georgia....... Hacking................ At least 1,600 Oct. 12, 2005........................ Ohio State Univ. Exposed online. 2,800 Medical Center. Appointment information including SSN, DOB, address, phone no., medical no., appointment reason, physician. Oct. 15, 2005........................ Montclair State Univ... Exposed online......... 9,100 Oct. 21, 2005........................ Wilcox Memorial Lost backup tape....... 130,000 Hospital, Hawaii. Nov. 1, 2005......................... Univ. of Tenn. Medical Stolen laptop.......... 3,800 Center. Nov. 4, 2005......................... Keck School of Stolen computer........ 50,000 Medicine, USC. Nov. 5, 2005......................... Safeway, Hawaii........ Stolen laptop.......... 1,400 in Hawaii, perhaps more elsewhere Nov. 8, 2005......................... ChoicePoint Bogus accounts [Total later revised to (Alpharetta, GA). established by ID 163,000--see 2/15/05 thieves. Total above] affected now reaches 163,000 (See Feb. 15 & Sept. 16). Nov. 9, 2005......................... TransUnion............. Stolen computer........ 3,623 Nov. 11, 2005........................ Georgia Tech Ofc. of Stolen computer, Theft 13,000 Enrollment Services. 10/16/05. Nov. 11, 2005........................ Scottrade Troy Group... Hacking................ Unknown. Nov. 19, 2005........................ Boeing................. Stolen laptop with HR 161,000 data incl. SSNs and bank account info. Dec. 1, 2005......................... Firstrust Bank......... Stolen laptop.......... 100,000 Dec. 1, 2005......................... Univ. of San Diego (San Hacking. Faculty, 7,800 Diego, CA). students and employee tax forms containing SSNs. Dec. 2, 2005......................... Cornell Univ........... Hacking. Names, 900 addresses, SSNs, bank names and acct. numbers. Dec. 6, 2005......................... WA Employment Security Stolen laptop. Names, 530 Dept. SSNs and earnings of former employees. Dec. 7, 2005......................... Idaho State University, ISU discovered a Unknown. Office of security breach in a Institutional Research server containing (Pocatello, ID). archival information Contact Information about students, Technology Services, faculty, and staff, (208) 282-2872. including names, SSNs, birthdates, and grades. Dec. 12, 2005........................ Sam's Club/Wal-Mart.... Exposed credit card Unknown. data at gas stations. Dec. 16, 2005........................ La Salle Bank, ABN AMRO Backup tape with [2,000,000] Not Mortgage Group. residential mortgage included in total customers lost in below shipment by DHL, containing SSNs and account information. UPDATE (12/20/05): DHL found the lost tape. Dec. 16, 2005........................ Colorado Tech. Univ.... Email erroneously sent 1,200 containing names, phone numbers, email addresses, Social Security numbers and class schedules. Dec. 20, 2005........................ Guidance Software, Inc. Hacking. Customer 3,800 credit card numbers. UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order against Guidance Software. Dec. 22, 2005........................ Ford Motor Co.......... Stolen computer. Names 70,000 and SSNs of current and former employees. Dec. 25, 2005........................ Iowa State Univ........ Hacking. Credit card 5,500 information and Social Security numbers. Dec. 25, 2005........................ Ameriprise Financial A laptop was stolen 260,000 Inc. (Minneapolis, from an employee's car MN), (877) 267-7408. Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information. UPDATE (08/06): The laptop was recovered by local law enforcement in the community where it was stolen. UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation. 2005 [Exact date unknown]............ U.S. Dept. of Veteran's A laptop being stored 66 Affairs (Washington, in the trunk of a car D.C.). was stolen in Minneapolis, Minnesota. 2 people later reported identity fraud problems. ---------------------------------------------------------------------------------------------------------------- 2006 ---------------------------------------------------------------------------------------------------------------- Jan. 1, 2006......................... University of 6 Stolen computers. 700 Pittsburgh Medical Names, Social Security Center, Squirrel Hill numbers, birthdates. Family Medicine. Jan. 2, 2006......................... H&R Block.............. SSNs exposed in 40- Unknown. digit number string on mailing label. Jan. 9, 2006......................... Atlantis Hotel--Kerzner Dishonest insider or 55,000 Int'l. hacking. Names, addresses, credit card details, Social Security numbers, driver's licence numbers and/or bank account data. Jan. 12, 2006........................ People's Bank.......... Lost computer tape 90,000 containing names, addresses, Social Security numbers, and checking account numbers. Jan. 17, 2006........................ City of San Diego, Dishonest employee Unknown. Water & Sewer Dept. accessed customer (San Diego, CA). account files, including SSNs, and committed identity theft on some individuals. Jan. 20, 2006........................ Univ. Place Conference Hacking. Reservation Unknown. Center & Hotel, information including Indiana Univ.. credit card account number compromised. Jan. 21, 2006........................ California Army Stolen briefcase with ``hundreds of National Guard. personal information officers'' of National Guardsmen including a ``seniority roster,'' Social Security numbers and dates of birth. Jan. 23, 2006........................ Univ. of Notre Dame.... Hackers accessed Social Unknown. Security numbers, credit card information and check images of school donors. Jan. 24, 2006........................ Univ. of WA Medical Stolen laptops 1,600 Center. containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data. Jan. 25, 2006........................ Providence Home Stolen backup tapes and 365,000 Services (Portland, disks containing OR). Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. UPDATE (9/26/06): Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs. Jan. 27, 2006........................ State of RI web site Hackers obtained credit 4,117 (www.RI.gov). card information in conjunction with names and addresses. Jan. 31, 2006........................ Boston Globe and The Inadvertently exposed. 240,000 potentially Worcester Telegram & Credit and debit card exposed Gazette. information along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution. Feb. 1, 2006......................... Blue Cross and Blue Inadvertently exposed. 600 Shield of North SSNs of members Carolina. printed on the mailing labels of envelopes with information about a new insurance plan. Feb. 4, 2006......................... FedEx.................. Inadvertently exposed. 8,500 W-2 forms included other workers' tax information such as SSNs and salaries. Feb. 9, 2006......................... Unknown retail Hacking. Debit card 200,000, although total merchants, apparently accounts exposed number is unknown OfficeMax and perhaps involving bank and others. credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo). [3/13/06 Crime ring arrested.]. Feb. 9, 2006......................... Honeywell International Exposed online. 19,000 Personal information of current and former employees including Social Security numbers and bank account information posted on an Internet Web site. Feb. 13, 2006........................ Ernst & Young (UK)..... Laptop stolen from 38,000 BP employees in employee's car with addition to Sun, Cisco customers' personal and IBM employees information including Social Security numbers. Feb. 15, 2006........................ Dept. of Agriculture... Inadvertently exposed 350,000 Social Security and tax identification numbers in FOIA request. Feb. 15, 2006........................ Old Dominion Univ...... Exposed online. 601 Instructor posted a class roster containing names and Social Security numbers to a web site. Feb. 16, 2006........................ Blue Cross and Blue Contractor sent names 27,000 Shield of Florida. and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies. Feb. 17, 2006........................ Calif. Dept. of Inmates gained access Unknown. Corrections, Pelican to files containing Bay (Sacramento, CA). employees' Social Security numbers, birth dates and pension account information stored in warehouse. Feb. 17, 2006........................ Mount St. Mary's Two laptops containing 17,000 Hospital (1 of 10 date of birth, address hospitals with patient and Social Security info. stolen) numbers of patients (Lewiston, NY). was stolen in an armed robbery in the New Jersey. Feb. 18, 2006........................ Univ. of Northern Iowa. Hacking. Laptop 6,000 computer holding W-2 forms of student employees and faculty was illegally accessed. Feb. 23, 2006........................ Deloitte & Touche External auditor lost a 9,290 (McAfee employee CD with names, Social information). Security numbers and stock holdings in McAfee of current and former McAfee employees. Mar. 1, 2006......................... Medco Health Solutions Stolen laptop 4,600 (Columbus, OH). containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories. Mar. 1, 2006......................... OH Secretary of State's SSNs, dates of birth, Unknown. Office. and other personal data of citizens routinely posted on a State web site as part of standard business practice. Mar. 2, 2006......................... Olympic Funding 3 hard drives Unknown. (Chicago, IL). containing clients names, Social Security numbers, addresses and phone numbers stolen during break in. Mar. 2, 2006......................... Los Angeles Cty. Dept. File boxes containing [Potentially 2,000,000, of Social Services names, dependents, but number unknown] (Los Angeles, CA). Social Security Not included in number numbers, telephone below numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded. Mar. 2, 2006......................... Hamilton County Clerk SSNs, other personal [1,300,000] Not of Courts (OH). data of residents included in number posted on county Web below. site, were stolen and used to commit identity theft. UPDATE (9/28/06): An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000. The Web site now blocks access to court documents containing personal information. Mar. 3, 2006......................... Metropolitan State Stolen laptop 93,000 College (Denver, CO). containing names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester. Mar. 5, 2006......................... Georgetown Univ. Hacking. Personal 41,000 (Washington, D.C.). information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. Mar. 8, 2006......................... Verizon Communications 2 stolen laptops ``Significant number'' (New York, NY). containing employees' personal information including Social Security numbers. Mar. 8, 2006......................... iBill (Deerfield Beach, Dishonest insider or [17,781,462] Not FL). possibly malicious included in total software linked to below iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and SSNs were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. Mar. 11, 2006........................ CA Dept. of Consumer Mail theft. ``A small number'' Affairs (DCA) Applications of DCA (Sacramento, CA). licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks. Mar. 14, 2006........................ General Motors Dishonest insider kept 100 (Detroit, MI). Social Security numbers of co-workers to perpetrate identity theft. Mar. 14 2006......................... Buffalo Bisons and Hacker accessed Unknown. Choice One Online sensitive financial (Buffalo, NY). information including credit card numbers names, passwords of customers who ordered items online. Mar. 15, 2006........................ Ernst & Young (UK)..... Laptop lost containing Unknown. the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Mar. 16, 2006........................ Bananas.com (San Hacker accessed names, 274 Rafael, CA). addresses, phone numbers and credit card numbers of customers. Mar. 23, 2006........................ Fidelity Investments Stolen laptop 196,000 (Boston, MA). containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. Mar. 24, 2006........................ CA State Employment Computer glitch sends 64,000 Development Division state Employment (Sacramento, CA). Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. Mar. 24, 2006........................ Vermont State Colleges Laptop stolen 14,000 (VT). containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system from as long ago as 2000. Mar. 30, 2006........................ Marines (Monterey, CA). Portable drive lost 207,750 that contains personal information used for research on re- enlistment bonuses. Mar. 30, 2006........................ Georgia Technology Hacker exploited 573,000 Authority (Atlanta, security flaw to gain GA). access to confidential information including Social Security numbers and bank- account details of state pensioners. Mar. 30, 2006........................ Conn. Technical High Social Security numbers 1,250 School System of students and (Middletown, CT). faculty mistakenly distributed via email. April 1, 2006........................ Con Edison (New York).. Con Edison shipped 2 15,000 Con Edison cartridge tapes to employees. JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees' W-2 data, including names, addresses, SSNs, taxes paid and salaries. April 6, 2006........................ Progressive Casualty Dishonest insider 13 Insurance (Mayfield accessed confidential Village, OH). information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. April 7, 2006........................ DiscountDomainRegistry. Exposed online. Domain ``thousands of domain com (Brooklyn, NY). registrants' personal name registrations''. information including usernames, passwords and credit card numbers were accessible online. April 9, 2006........................ University of Medicine Hackers accessed Social 1,850 and Dentistry of New Security numbers, loan Jersey (Newark, NJ). information, and other confidential financial information of students and alumni. April 12, 2006....................... Ross-Simons Security breach exposed Unknown. (Providence, RI). account and personal information of those who applied for its private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants. April 14, 2006....................... NewTech Imaging Records containing the 40,000 (Honolulu, HI). names, Social Security numbers and birth dates of more than 40,000 members of Voluntary Employees Benefit Association of Hawaii were illegally reproduced at a copying business before they were to be put onto a compact disc for the State. Police later found the data on a computer that had been confiscated as part of a drug investigation. April 14, 2006....................... Univ. of South Carolina Social Security numbers 1,400 (Columbia, SC). of students were mistakenly e-mailed to classmates. April 15, 2006....................... Scott County, IA....... The Social Security Unknown. numbers of people who obtained mortgages in the early 1990s are visible in documents posted on the county's website. The county will redact the information at the individuals' request. April 21, 2006....................... University of Alaska, A hacker accessed 38,941 Fairbanks (Fairbanks, names, Social Security AK). numbers, and partial e- mail addresses of current and former students, faculty, and staff. April 21, 2006....................... Boeing (Seattle, WA)... A laptop was taken from 3,600 current and a Boeing human former employees resources employee at Sea-Tac airport. It contained SSNs and other personal information, including personnel information from the 2000 acquisition of Hughes Space and Communications. April 21, 2006....................... Ohio University A server containing Unknown. Innovation Center data including e- (Athens, OH). mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised. April 24, 2006....................... University of Texas' Hackers accessed 197,000 McCombs School of records containing Business (Austin, TX). names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members. April 24, 2006....................... Ohio University Hackers accessed a 300,000 (Athens, OH). computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum. April 26, 2006....................... Purdue University (West Hacker accessed 1,351 Lafayette, IN). personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. April 26, 2006....................... Aetna--health insurance Laptop containing 38,000 records for employees personal information of 2 members, including names, including Omni Hotels addresses and Social and the Dept. of Security numbers of Defense NAF (Hartford, Dept. of Defense CT). (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. April 27, 2006....................... MasterCard (Potentially Though MasterCard [2,000] Not included in UK only). refused to say how the total below breach occurred, fraudsters stole the credit card details of holders in a major security breach. April 27, 2006....................... Long Island Rail Road Data tapes containing 17,000 (Jamaica, NY). personal information including names, addresses, Social Security numbers and salary figures of ``virtually everyone'' who worked for the agency was lost by delivery contractor Iron Mountain while enroute. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected. April 28, 2006....................... Ohio's Secretary of The names, addresses, ``Potentially millions State (Cleveland, OH). and Social Security of registered voters'' numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs. UPDATE (9/15/06): A news report said that some SSNs still remain on the agency's Web site. April 28, 2006....................... Dept. of Defense Hacker accessed a Unknown. (Washington, DC). Tricare Management Activity (TMA) public server containing personal information about military employees. May 2, 2006.......................... Georgia State Government surplus Unknown. Government (Atlanta, computers that sold GA). before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. May 4, 2006.......................... Idaho Power Co. (Boise, Four company hard Unknown. ID). drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO. May 4, 2006.......................... Ohio University Hudson Names, birth dates, 60,000 Health Center (Athens, Social Security OH). numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. May 2006............................. Ohio University A breach was discovered 2,480 (Athens, OH). on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005. May 2006............................. Ohio University A breach of a computer Unknown. (Athens, OH). that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. May 5, 2006.......................... U.S. Dept. of Veteran's A data tape disappeared 16,500 Affairs (Washington, from a VA facility in D.C.). Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents. UPDATE (10/11/06): The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape. May 5, 2006.......................... Wells Fargo (San Computer containing Unknown. Francisco, CA). names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another. May 12, 2006......................... Mercantile Potomac Bank Laptop containing 48,000 (Gaithersburg, MD). confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. May 19, 2006......................... American Institute of An unencrypted hard 330,000 [Updated 6/16/ Certified Public drive containing 06] Accountants (AICPA) names, addresses and (New York, NY). Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. May 19, 2006......................... Unknown. retail Visa, MasterCard, and Unknown. merchant. other debit and credit card numbers from banks across the country were stolen when a national retailer's database was breached. No names, Social Security numbers or other personal identification were taken. May 22, 2006......................... U.S. Dept. of Veteran's On May 3, data of all 28,600,000 Affairs (Washington, American veterans who DC) (800) 827-1000. were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 milliion veterans. The data did not contain medical or financial information, but may have disability numerical rankings. UPDATE: An additional 2.1 million active and reserve service members were added to the total number of affected individuals June 1st. UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered. UPDATE (7/14/06): FBI claims no data had been taken from stolen computer. UPDATE (8/5/06): Two teens were arrested in the theft of the laptop. UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for ``patterns of misuse.''. May 23, 2006......................... Univ. of Delaware Security breach of a 1,076 (Newark, DE). Department of Public Safety computer server potentialy exposes names, Social Security numbers and driver's license numbers. May 23, 2006......................... M&T Bank (Buffalo, NY). Laptop computer, owned Unknown. by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name. May 23, 2006......................... Butler Co. Dept. of Three laptop computers 100 clients Mental Retardation & were stolen ``last Developmental month'' from the Disabilities agency's office. They (Cincinatti, OH). contained personal information on mental health clients, including SSNs. May 23, 2006......................... Mortgage Lenders A former employee was 231,000 Network USA arrested for extortion (Middletown, CT). for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information--including customers' names, addressess, Social Security numbers, loan numbers, and loan types--if the company didn't pay him. He stole the files over the 16 months he worked there. May 24, 2006......................... Sacred Heart Univ. It was discovered on Unknown. (Fairfield, CT). May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. May 24, 2006......................... American Red Cross, St. Dishonest employee had 1,000,000 Louis Chapter (St. access to Social Louis, MO). Security numbers of donors to call urging them to give blood again. The employee misused the persoal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors. May 25, 2006......................... Vystar Credit Union Hacker gained access to Approx. 34,400 (``less (Jacksonville, FL). member accounts ``a than 10% of its few weeks ago'' and 344,000 members'') stole personal information including names, addresses, birth dates, mother's maiden names, SSNs and/ or email addresses. May 30, 2006......................... Texas Guaranteed Texas Guaranteed (TG) 1,300,000 plus 400,000 Student Loan Corp. was notified by for total of (Round Rock, TX) via subcontractor 1,700,000. subcontractor, Hummingbird that on Hummingbird (Toronto, May 24, an employee Canada). had lost a piece of equipment containing names and Social Security numbers of TG borrowers. UPDATE (6/16/06): TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million. May 30, 2006......................... Florida Int'l Univ. Hacker accessed a ``thousands''. (Miami, FL). database that contained personal information, such as student and applicant names and Social Security numbers. May 31, 2006......................... Humana (Louisville, KY) On May 5, 2006, 268 Minnesota and North Medicare drug benefit Dakota applicants applications were stolen from an insurance agent's unlocked car in Brooklyn Park, MN. Information included applicants' name, address, date of birth, Social Security number, and bank routing information. June 1, 2006......................... Miami University An employee lost a hand- 851 (Oxford, OH). held personal computer containing personal information of students who were enrolled between July 2001 and May 2006. June 1, 2006......................... Ernst & Young (UK)..... A laptop containing 243,000 names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas. June 1, 2006......................... Univ. of Kentucky Personal information of 1,300 (Lexington, KY). current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days last month. June 2, 2006......................... Buckeye Community Four laptop computers 72,000 Health Plan (Columbus, containing customer OH). names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. June 2, 2006......................... Ahold USA (Landover, An EDS employee lost a Unknown. MD) Parent company of laptop computer during Stop & Shop, Giant a commercial flight stores and Tops stores that contained pension via subcontractor data of former Electronic Data employees of Ahold's Systems (Plano, TX). supermarket chains including Social Security numbers, birth dates and benefit amounts. June 2, 2006......................... YMCA (Providence, RI).. Laptop computer 65,000 containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. June 2, 2006......................... Humana (Louisville, KY) Personal information of 17,000 current and Humana customers former Medicare enrolled in the enrollees company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. June 5, 2006......................... Internal Revenue A laptop computer 291 Service (Washington, containing personal DC). information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight. June 6, 2006......................... Univ. of Texas (El Students demonstrated 4,719 Paso, TX). that student body and faculty elections could be rigged by hacking into student information including Social Security numbers. June 8, 2006......................... Univ. of Michigan Paper documents 5,000 Credit Union (Ann containing personal Arbor, MI). information of credit union members were stolen from a storage room. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft. June 11, 2006........................ Denver Election Records containing 150,000 Commission (Denver, personal information CO). on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. June 12, 2006........................ U.S. Dept. of Energy Names, Social Security 1,502 (Washington, D.C.). numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago. June 13, 2006........................ Minn. State Auditor Three laptops possibly 493 (St. Paul, MN). containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing. June 13, 2006........................ Oregon Dept. of Revenue Electronic files 2,200 (Salem, OR). containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The ``trojan'' attached to the file may have sent taxpayer information back to the source when the computer was turned on. June 13, 2006........................ U.S. Dept of Energy, Current and former 4,000 Hanford Nuclear workers at the Hanford Reservation (Richland, Nuclear Reservation WA). that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. June 14, 2006........................ American Insurance The computer server was 930,000 Group (AIG), Indiana stolen on March 31 Office of Medical containing personal Excess, LLC (New York, information including NY). names, Social Security numbers, birth dates, and some medical and disability information. June 14, 2006........................ Western Illinios Univ. On June 5th, a hacker 180,000 (Macomb, IL). compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University. UPDATE (7/5/06): Number affected reduced from 240,000. June 16, 2006........................ Union Pacific (Omaha, On April 29th, an 30,000 NE). employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers. June 16, 2006........................ NY State Controller's State controller data 1,300 Office (Albany, NY). cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses. June 16, 2006........................ ING (Miami, FL)........ Two ING laptops that 8,500 carried sensitive data affecting Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers. June 16, 2006........................ Univ. of Kentucky The personal data of 6,500 (Lexington, KY). current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive. June 17, 2006........................ ING (Washington, D.C.). Laptop stolen from 13,000 employee's home containing retirement plan information including Social Security numbers of D.C. city employees. June 17, 2006........................ Automatic Data Personal and payroll 80 Processing (ADP) information of workers (Roseland, NJ). were intended to be faxed between ADP offices and were mistakenly sent to a third party. June 17, 2006........................ CA Dept. of Health CDHS documents were 1,550 Services (CDHS) inappropriately (Sacramento, CA). emptied from an employee's cubicle on June 5 and 9 rather than shredded. The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e- mail messages and handwritten notes. June 20, 2006........................ Equifax (Atlanta, GA).. On May 29, a company 2,500 laptop containing employee names and partial and full Social Security numbers was stolen from an employee. June 20, 2006........................ Univ. of Alabama In February a computer 9,800 (Birmingham, AL). was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information. June 21, 2006........................ U.S. Dept. of During the first week 26,000 Agriculture (USDA) in June, a hacker (Washington, D.C.). broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors. June 21, 2006........................ Cape Fear Valley Health Portable computer 24,350 System (Fayetteville, containing personal NC). information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. June 21, 2006 (Date of letter sent to Lancaster General A desktop computer with ``Hundreds of local doctors. Date of news story is July Hospital (Lancaster, personal information physicians'' (not 28, 2006). PA). of hundreds of doctors included in total was stolen from a below) locked office June 10. The unencrypted data included names, practice addresses, and SSNs of physicians on medical and dental staff. June 22, 2006........................ Federal Trade Two laptop computers 110 Commission (FTC) containing personal (Washington, D.C.). and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. June 23, 2006........................ San Francisco State A faculty member's 3,000 Univ. (San Francisco, laptop was stolen from CA). a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and in some instance, phone numbers and grade point averages. June 23, 2006........................ U.S. Navy (Washington, Navy personnel were 30,000 D.C.). notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers. June 23, 2006........................ CA Dept. of Health On June 12, a box of 323 Services (CDHS) Medi-Cal forms from (Sacramento, CA). December 2005 were found in the cubicle of a CDHS employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members. June 23, 2006........................ Catawba County Schools On June 22, it was 619 (Newton, NC). discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year. UPDATE: The web site containing the data has been removed. June 23, 2006........................ King County Records, Social Security numbers Unknown. Elections, and for potentially Licensing Services thousands of current Division (Seattle, WA). and former county residents may be exposed on the agency's web site. Residents can request that the image of any document that contains a Social Security number, Mother's Maiden Name or Drivers License be removed. Officials state that they are unable to alter original public documents and cannot choose to not record documents presented for recording. June 27, 2006........................ Gov't Accountability Data from audit reports ``Fewer than 1,000'' Office (GAO) on Defense Department [1,000 used in total] (Washington, D.C.). travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information. June 28, 2006........................ AAAAA Rent-A-Space Customer's account 13,000 (Colma, CA). information including name, address, credit card, and Social Security number was easily accessible due to a security gap in its online payment system. June 29, 2006........................ AllState Insurance Over Memorial Day 2,700 Huntsville branch weekend, a computer (Huntsville, AL). containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen. June 29, 2006........................ Nebraska Treasurer's A hacker broke into a 309,000 Office (Lincoln, NE). child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses. June 29, 2006........................ Minnesota Dept. of On May 16, a package 50,400 Revenue (St. Paul, MN). containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers. UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service. June 30, 2006........................ Nat'l Institutes of NIHFCU is investigating ``Very few'' of 41,000 Health Federal Credit with law enforcement members affected [not Union (Rockville, MD). the identity theft of included in total] some of its 41,000 members. No details given on type of information stolen, or how it was stolen. July 1, 2006......................... American Red Cross, Sometime in May, 3 Unknown. Farmers Branch laptops were stolen, (Dallas, TX). one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005. July 5, 2006......................... Bisys Group Inc. Personal details about 61,000 (Roseland, NJ). 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred. July 6, 2006......................... Automated Data Payroll service company ``Hundreds of Processing (ADP) ADP gave scam-artist thousands'' [not (Roseland, NJ). names, addresses, and included in total] number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch. July 7, 2006......................... University of Tennessee Hacker broke into UT 36,000 (866) 748-1680. computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies. July 7, 2006......................... Nat'l Association of Ten laptops were stolen 73 Securities Dealers on Feb. 25 '06 from (NASD) (Boca Raton, NASD investigators. FL). They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops. July 7, 2006......................... Naval Safety Center.... SSNs and other personal ``more than 100,000'' information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands. July 7, 2006......................... Montana Public Health A state government Unknown. and Human Services computer was stolen Dept. (Helena, MT). from the office of a drug dependency program during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised. July 7, 2006......................... City of Hattiesburg Video surveillance ``thousands of city (Hattiesburg, MS). cameras caught 2 workers and intruders stealing contractors'' hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically. July 13, 2006........................ Moraine Park Technical Computer disk (CD) with 1,500 College (Beaver Dam, personal information Fond du Lac, & West of 1,500 students was Bend, WI). reported missing. Information includes names, addresses, phone numbers & SSNs of apprenticeship students back to 1993. July 14, 2006........................ Northwestern Univ. Files containing names ``As many as 17,000 (Evanston, IL) (888- and some personal individuals' records'' 209-0097). information including exposed. SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid Office. July 14, 2006........................ University of Iowa Laptop computer 280 (Davenport, IA). containing personal information of current and former MBA students was stolen. Data files included SSNs and some contact info. July 14, 2006 (Date of letter sent to California Polytechnic Laptop computer was 3,020 students students. Date of news story is 8/1/ State University (Cal stolen from the home 06). Poly) (San Luis of a physics Obispo, CA) (Call department professor (805) 756-2226 or July 3. It included (805) 756-2171). names and SSNs of physics and astronomy students from 1994- 2004. July 14, 2006........................ Treasurer's computer in Public computer in city ``Over 100,000 Circuit Court Clerk's government building records'' (The number office (Hampton, VA). containing taxpayer containing SSNs is not information was found known yet and not to display SSNs of included in total many residents--those below.) who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th. UPDATE (7/27/2006): Investigation concluded that the data was exposed due to software problem. July 16, 2006........................ Mississippi Secretary The state agency's web Among the 2 million of State (Jackson, MS). site listed 2 million+ postings are Uniform Commercial ``thousands'' Code (UCC) filings in containing SSNs (not which thousands of included in total) individuals' SSNs were exposed. July 17, 2006........................ Vassar Brothers Medical Laptop was stolen from [257,800 patients were Center (Poughkeepsie, the emergency initially notified, NY) (845) 483-6990. department between but an analysis by June 23-26. It Kroll later determined contained information that the laptop on patients dating contained no personal back to 2000, information. This including SSNs and number is not included dates of birth. in the total below.] UPDATE (10/5/06): Private investigators determined the laptop did not contain personally identifiable patient information. July 18, 2006........................ Nelnet Inc. (Lincoln, Computer tape 188,000 NE) (800) 552-7925. containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network. July 18, 2006........................ CS Stars, subsidiary of On May 9, CS Stars lost 540,000 insurance company track of a personal Marsh Inc. (Chicago, computer containing IL). records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information. UPDATE (7/26/06): Computer was recovered. UPDATE (04/26/07): The New York Attorney General's office found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed. July 18, 2006........................ U.S. Dept. of Laptop computer and 350 Agriculture printout containing (Wellington, KS). names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. July 24, 2006........................ New York City Dept. of The personal 8,400 Homeless Services. information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when accidentally sent to homeless advocates and city officials. July 25, 2006........................ Armstrong World A laptop containing 12,000 Industries (Lancaster personal information Co., PA). of current and former employers was stolen. The computer was in the possession of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited. July 25, 2006........................ Belhaven College An employee carrying 300 employees (Jackson, MS). laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and SSNs of college employees. July 25, 2006........................ Georgetown University Patient data was ``between 5,600 and Hospital (Washington, exposed online via the 23,000 patients were DC). computers of an e- affected'' (23,000 prescription provider, added to total below) InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX. July 25, 2006........................ Old Mutual Capital Laptop was stolen 6,500 fund shareholders Inc., subsidiary of sometime in May United Kingdom-based containing personal financial services information of U.S. firm Old Mutual PLC. clients, including names, addresses, account numbers and some SSNs. July 25, 2006........................ Cablevision Systems A tape en route to the 13,700 current and Corp. (lost when company's 401(k) plan former employees shipped to Dallas- record-keeper ACS was based ACS). lost when shipped by FedEx to Dallas, TX. No customer data was on the tape. July 26, 2006........................ U.S. Navy recruitment Two laptop computers 31,000 records were offices (Trenton, NJ, with information on stolen, with about and Jersey City, NJ). Navy recruiters and 4,000 containing SSNs. applicants were stolen The latter number is in June and July. Also included in the total included was below information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. July 26, 2006........................ West Virginia Div. of A laptop was stolen Unknown. Rehabilitation July 24 containing Services (Beckley, WV). clients' names, addresses, SSNs, and bphone numbers. Data was password protected. July 27, 2006........................ Kaiser Permanente A laptop was stolen 160,000 records. Northern Calif. Office containing names, Because the data file (Oakland, CA) (866) phone numbers, and the did not include SSNs, 453-3934. Kaiser number for each this number is not HMO member. The data added to the total file did not include below SSNs. The data was being used to market Hearing Aid Services to Health Plan members. July 27, 2006........................ Los Angeles County (Los In May, a laptop was Unknown. Angeles, CA). stolen from the home of a community and senior services employee. It contained information on LA County employees. July 27, 2006........................ Los Angeles Co., Earlier in July, a 4,800 records. Because Community Development computer hacker it is not clear if Commission (CDC) located in Germany SSNs were included, (Monterey Park, CA). gained access to the this number is not CDC's computer system, added to the total containing personal below information on 4,800 public housing residents. July 27, 2006........................ Los Angeles County, Last weekend 11 laptops Unknown. Adult Protective were stolen from the Services (Burbank, CA). Burbank office. It is not clear what type of personal information was included. July 28, 2006........................ Matrix Bancorp Inc. Two laptop computers Unknown. (Denver, CO) (877-250- were stolen during 7742). daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected. July 28, 2006........................ Riverside, Calif., city The SSNs and financial ``nearly 2,000 employees. information regarding employees'' 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a computer operator's error. The data was intended for the city payroll dept. July 29, 2006........................ Sentry Insurance Personal information Information on 72 (Stevens Point, WI). including SSNs on claimants was sold on worker's compensation the Internet. Data on claimants was stolen, an additional 112,198 some of which was claimants was also later sold on the stolen with no Internet. No medical evidence of being sold records were included. online. The thief was a lead Total affected is programmer-consultant 112,270 who had access to claimants' data. The consultant was arrested and faces felony charges. Aug. ?, 2006......................... CoreLogic for ComUnity In early August, Unknown. Lending (Sacramento, CoreLogic notified CA) (877) 510-3700 customers of ComUnity identityprotection@ Lending that a corelogic.com. computer with customers' data was stolen from its office. Data included names, SSNs, and property addresses related to an existing or anticipated mortgage loan. Aug. 1, 2006......................... U.S. Bank (Covington, A bank employee's ``very small'' number KT). briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers. Aug. 1, 2006......................... Wichita State WSU learned on June 29 2,000 University (Wichita, that someone gained KS). unauthorized access into 3 computers in its College of Fine Arts box office, containing credit card information for about 2,000 patrons. Aug. 1, 2006......................... Wichita State An intrusion into a WSU 40 (not included in University (Wichita, psychology total below because it KS). department's server is not known if SSNs was discovered July were included in 16. It contained breached data) information on about 40 applicants to the doctoral program. Aug. 1, 2006......................... Dollar Tree (Carmichael Customers of the Total number unknown and Modesto, CA, as discount store have well as Ashland, OR, reported money stolen and perhaps other from their bank locations). accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money. UPDATE (10/5/06): Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift cards. The case is tied to the Dollar Tree customer bank account thefts. Aug. 1, 2006......................... Ron Tonkin Nissan Several months ago the Up to 16,000 affected (Portland, OR) car dealership Questions? Call: (503) experienced a security 251-3349. breach affecting the personal information of those who bought cars or applied for credit between 2001 and March 2006. Aug. 4, 2006......................... Toyota plant (San Laptop belonging to 1,500 Antonio, TX). contractor and containing personal information of job applicants and employees was stolen. Data included names and SSNs. Aug. 4, 2006......................... PSA HealthCare A company laptop was 51,000 current and (Norcross, GA) (866) stolen from an former patients. 752-5259. employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. Aug. 6, 2006......................... American Online (AOL) In late July AOL posted Unknown how many (nationwide). on a public web site records contain high- data on 20 million web risk personal queries from 650,000 information. users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information. UPDATE (9/26/06): Three individuals whose data were exposed have filed a lawsuit against AOL. Aug. 7, 2006......................... U.S. Dept. of Veteran's Computer at 5,000 Philadelphia Affairs through its contractor's office patients, 11,000 contractor Unisys was reported missing Pittsburgh patients, Corp. (Reston, VA). Aug. 3, containing 2,000 deceased billing records with patients, plus names, addresses, possibly 20,000 more SSNs, and dates of (18,000 is included in birth of veterans at 2 total below). Pennsylvania locations. UPDATE (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys. Aug. 8, 2006......................... Virginia Bureau of The Bureau has advised Unknown. Insurance (804) 726- insurance agents in 2630. the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser. Aug. 8, 2006......................... Linens 'n Things A folder holding about 90 (Sterling, VA). 90 receipts was missing from the store. Receipts included full credit or debit account number and name of the card holder. Aug. 9, 2006......................... U.S. Dept. of The DOT's Office of the 132,470 Transportation (800) Inspector General 424-9071 reported a special [email protected]. agent's laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses. UPDATE (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot. Aug. 11, 2006........................ Madrona Medical Group On Dec. 17, 2005, a At least 6,000 (Bellingham, WA). former employee patients. accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested. Aug. 15, 2006........................ University of Kentucky. The names and SSNs of 630 630 students were posted on the University's financial aid web site between Friday and Monday, Aug. 11-14. Aug. 15, 2006........................ University of Kentucky. About 80 geography 80 students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication they all received telling them who their academic advisor would be for the coming year. Aug. 15, 2006........................ U.S. Dept. of On April 24, a DOT Unknown. Transportation employee's laptop (Orlando, FL). computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files Investigators are determining if it contained sensitive personal information. Aug. 16, 2006........................ Chevron (San Ramon, CA) Chevron informed its Total employees U.S. workers Aug. 14 affected is unclear. that a laptop was Nearly half of its stolen from ``an 59,000 workers are employee of an from North America. independent public accounting firm'' who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive information related to health and disability plans. Aug. 17, 2006........................ Williams-Sonoma (San On July 10, a laptop 1,200 current and Francisco, CA). was stolen from the former employees. Los Angeles home of a Deloitte & Touche employee who was conducting an audit for W-S. Computer contained employees' payroll information and SSNs. Aug. 17, 2006........................ HCA, Inc. Hospital 10 computers containing ``thousands of files''. Corp. of America Medicare and Medicaid (Nashville, TN) (800) billing information 354-1036 and records of hcahealthcare.com. employees and physicians from 1996- 2006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA. Aug. 18, 2006........................ Calif. Dept. of Mental Computer tape with 9,468 employees. Health (916) 654-2309. employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17 by e-mail. Aug. 21, 2006........................ U.S. Dept. of Education Two laptops were stolen 43 via contractor, DTI from DTI's office in Associates downtown DC containing (Washington, DC). personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. Aug. 22, 2006........................ AFLAC American Family A laptop containing 612 policyholders. Life Assurance Co. customers' personal (Greenville, SC) (888) information was stolen 794-2352. from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11. Aug. 22, 2006........................ Beaverton School Time slips revealing 1,600 employees. District (Beaverton, personal information OR). were missing and presumed stolen following a July 24 break-in at a storage shed on the administration office's property. The time slips included names and SSNs but not addresses. Aug. 22, 2006........................ Beaumont Hospital A vehicle of a home 28,400 home care (Troy, MI). health care nurse was patients. stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients. UPDATE (8/23/06): The laptop was returned Aug. 23 by a woman who said she found it in her yard. Aug. 23, 2006........................ U.S. Dept. of A faulty Web site 21,000 Education, Direct Loan software upgrade Servicing Online resulted in personal (Atlanta, GA) information of 21,000 www.dlssonline.com and student loan holders dlservicer.ed.gov. being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. Aug. 25, 2006........................ Dominion Resources Two laptops containing Unknown. (Richmond, VA). employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Dominion operates a gas and electric energy distribution company. Aug. 25, 2006........................ U.S. Dept. of A laptop that ``might 193 (not added to Transportation, contain'' personal total). Federal Motor Carrier information of people Safety Administration with commercial (Baltimore, MD) (800) driver's licenses was 832-5660. stolen Aug. 22. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. Aug. 25, 2006........................ Sovereign Bank (New Personal data may have ``thousands of Bedford, MA). been compromised when customers''. 3 managers' laptops were stolen from 2 separate locations in early August. Customers were notified Aug. 21. Sovereign serves New England and the Mid- Atlantic. The bank said the data included unspecified customer information, but not account data. Aug. 26, 2006........................ PortTix (Portland, ME). Credit card information 2,000 for about 2,000 people who ordered tickets online through PortTix was accessed by someone who hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24. Aug. 26, 2006........................ University of South A security audit this 6,000 current and Carolina (Columbia, summer found that a former students. SC). computer server was hacked in Sept. 2005. A database could have been accessed with names, SSNs, and birthdates of current and former students. Aug. 27, 2006........................ New Mexico For 8 days in late May, 1,500 employees. Administrative Office an unsecured document of the Courts (Santa was exposed on the Fe, NM). agency's FTP site on the state's computer server. It contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP site was shut down June 2 and has since been redesigned. Aug. 29, 2006........................ Valley Baptist Medical A programming error on Unknown. Center (Harlingen, TX) the hospital's web (877) 840-5999. site exposed names, birth dates, and SSNs of healthcare workers in late August. The error was fixed but it is not known how long the personal information was compromised. The affected individuals are workers from outside the hospital who provide services and bill the hospital via an online form. Aug. 29, 2006........................ AT&T via vendor that Computer hackers ``Fewer than 19,000'' operates an order accessed credit card customers. processing computer account data and other (San Francisco, CA). personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying ``fewer than 19,000'' customers''. UPDATE (9/1/06): The breach was followed by a bogus phishing e- mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate-- essential for crime of identity theft. Aug. 29, 2006........................ Compass Health Compass Health notified ``A limited number of (Everett, WA) (800) some of its clients people''. 508-0059. that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness. Aug. 31, 2006........................ Labcorp (Monroe, NJ) During a break-in June Unknown. (800) 788-9091 x3925. 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not have birth dates or lab test results. Aug. 31, 2006........................ Diebold, Inc. (Canton, An employee's laptop Unknown. OH). was stolen containing employee information, including name, SSN, and if applicable, corporate credit card number. Sept. 1, 2006........................ Wells Fargo via unnamed In a letter dated Aug. Unknown. auditor (San 28, the company Francisco, CA). notified its employees that a laptop and data disk were stolen from the locked trunk of an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug claim cost and dates from 2005, but no prescription information said the company. Sept. 1, 2006........................ Virginia Commonwealth Personal information of 2,100 current and University (Richmond, freshmen and graduate former students. VA) www.ts.vcu.edu. engineering students from 1998 through 2005 was exposed on the Internet for 8 months (Jan.-Aug.) due to human error. It was discovered by a student who used a search engine to find her name. The data included SSNs and e- mail addresses. Sept. 1, 2006........................ City of Chicago via A laptop was stolen ``Up to 38,443 city contractor Nationwide from the home of employees and Retirement Solutions, contractor's employee retirees''. Inc. (Chicago, IL) last April 2005. It (800) 638-1485 was reported to the www.chicagofop.org. city July 2006 more than a year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred compensation plan. Sept. 2, 2006........................ Lloyd's of London (Port A thief reprogrammed Unknown. St. Lucie, FL). more than 150 Lloyd's of London credit card numbers onto phone cards and used them to withdraw money from an ATM in Port St. Lucie, FL (stealing more than $20,000 over 3 days). Key personal and financial information had been skimmed from the magnetic strip on the victims' cards. Sept. 5, 2006........................ Transportation Security In late August 2006, 1,195 former TSA Administration (TSA) Accenture, a employees. via Accenture contractor for TSA (Washington, DC). mailed documents containing former employees' SSNs, date of birth, and salary information to the wrong addresses due to an administrative error. Sept. 7, 2006........................ Florida National Guard A laptop computer was 100 (Bradenton, FL). stolen from a soldier's vehicle contained training and administrative records, including Social Security numbers of up to 100 Florida National Guard soldiers. Sept. 7, 2006........................ Circuit City and Chase Chase Card Services 2.6 million past and Card Services, a mistakenly discarded 5 current Circuit City division of JP Morgan computer data tapes in credit cardholders. Chase & Co. July containing (Wilmington, DE). Circuit City cardholders' personal information. Sept. 8, 2006........................ Linden Lab (San On Sept. 6, Linden Lab Unknown. Francisco, CA) discovered that a www.secondlife.com. hacker accessed its Second Life database through web servers. The affected data included unencrypted account names, real life names, and contact information, plus encrypted account passwords and payment information. Second Life is a 3-D virtual world. Sept. 8, 2006........................ University of Minnesota On August 14-15 eve, 13,084 students (Minneapolis, MN). two computers were including SSNs of 603 stolen from the desk students. of an Institute of Technology employee, containing information on students who were freshmen from 1992- 2006--including names, birthdates, addresses, phone numbers, high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also exposed. Sept. 8, 2006........................ Berks Co. Sheriff's A confidential list of 25,000 gun permit Office via contractor some of the County's holders exposed, Canon Technology 25,000 gun permit although initially the Solutions (Reading, holders was exposed on number was unknown. PA). the Web by the contractor that is developing a Web-based computer records program for the Sheriff's Office. Personal information included names, addresses and SSNs. UPDATE (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was exposed. Sept. 9, 2006........................ Cleveland Clinic A clinic employee stole 1,100 patients. (Naples, FL) (866) 907- personal information 0675. from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs, birthdates, addresses and other details. Both individuals were indicted. Sept. 11, 2006....................... Telesource via Vekstar Employees discovered Unknown. (Indianapolis, IN). their personnel files in a Dumpster after the company had been bought out by another company Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth and photocopies of SSN cards and driver's licenses. Sept. 13, 2006....................... American Family The office of an 2,089 customers. Insurance (Madison, insurance agent was WI). broken into and robbed last July. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers. Sept. 14, 2006....................... Nikon Inc. and Nikon Workers at a 3,235 magazine World Magazine Montgomery, AL, camera subscribers. (Melville, NY). store discovered that subscription information for the magazine Nikon World was exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers. Sept. 14, 2006....................... Illinois Dept. of A document containing Unknown. Corrections employees' personal (Springfield, IL). information was found outside the agency's premises ``where it should not have been.'' It has since been retrieved. Information included employees' names, SSNs, and salaries. Sept. 15, 2006....................... Mercy Medical Center A memory stick 295 patients. (Merced, CA). containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates, and medical records. Sept. 15, 2006....................... Whistle Junction Personnel files of Unknown. restaurant (Orlando, employees of the now- FL). closed restaurant were found in a nearby Dumpster. Papers included names and SSNs of former employees. Sept. 16, 2006....................... Michigan Dept. of Residents who 4,000 Michigan Community Health participated in a residents. (Detroit, MI). scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and SSNs of participants. The study tracked the long- term exposure to flame retardants ingested by residents in beef and milk. Sept. 16, 2006....................... Beaumont Hospital The hospital mistakenly 3 patients. (Royal Oak, MI). mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer system mixed similar names, and staff did not catch it. Sept. 17, 2006....................... Direct Loans, part of A security breach 21,000 accounts. William D. Ford exposed private Federal Direct Loan information of student Program within U.S. loan borrowers from Dept. of Education and Aug. 20-22 during a Federal Student Aid computer software via its IT contractor upgrade. Users of the ACS. Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online. Sept. 18, 2006....................... Howard, Rice, A laptop was stolen 500 current and former Nemerovski, Canady, from the trunk of the employees. Falk & Rabkin law firm car of the law firm's (San Francisco, CA) auditor, containing via its auditor confidential employee Morris, Davis & Chan pension plan (Oakland, CA). information--names, SSNs, remaining balances, 401(k) and profit-sharing information. Sept. 18, 2006....................... DePaul Medical Center, Two computers were ``More than 100 Radiation Therapy stolen, one on August patients''. Dept. (Norfolk, VA) 28 and the other Sept. (757) 889-5945. 11. Personal data included names, date of birth, treatment information, and some SSNs. Sept. 19, 2006....................... Life Is Good (Hudson, Hackers accessed the 9,250 customers' credit NH). retailer's database card numbers. containing customer's credit card numbers. The company said no other personal information was in the database. Sept. 20, 2006....................... City of Savannah, Because of a ``hole in 8,800 individuals whose Georgia (912) 651-6565 the firewall,'' a City identities were savannahga.gov. server exposed captured by red-light personal information cameras. online for 7 months. Individuals identified by the Red Light Camera Enforcement Program are affected-- name, address, driver's license number, vehicle identification number, and SSNs of those individuals whose driver's license number is still the SSN. Sept. 20, 2006....................... Berry College via Student applications 2,093 students and consultant Financial for need-based potential students (of Aid Services Inc. financial aid were those, 1,322 are (Mount Berry, GA) misplaced by a currently enrolled). (800) 961-4692 consultant--in both www.berry.edu. paper and digital form. Data included name, SSN, and reported family income for students and potential students for the 2005-06 academic year. Sept. 21, 2006....................... Pima Co. Health Dept. Vaccination records on 2,500 (not included in (Tucson, AZ). 2,500 clients had been Total below). left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses. Sept. 21, 2006....................... U.S. Dept. of Commerce The agency reported Unknown. and Census Bureau that 1,137 laptops (Washington, DC). have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had ``protections to prevent a breach of personal information''. Sept. 22, 2006....................... Purdue University A file in a desktop 2,482 students from the College of Science computer in the year 2000. (West Lafayette, IN) Chemistry Department (866) 307-8520 may have been accessed www.purdue.edu. illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. Sept. 22, 2006....................... University of Colorado- Two computers had been 1,372 students and Boulder, Leeds School placed in storage former students. of Business (Boulder, during the school's CO) (303) 492-8741. move to temporary quarters in May. When they were to be retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names, SSNs, and grades. UPDATE (9/25/06): One of the computers was found. Sept. 22, 2006....................... Several Indianapolis Earlier this year a Unknown. pharmacies local TV reporter from (Indianapolis, IN). WTHR found that ``dozens'' of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the Board and the Attorney General say that the pharmacies violated state law. Sept. 23, 2006....................... An illegal dumping site Investigators found Unknown. northwest of Quinlan, boxes of private TX. medical records containing names and personal information of patients of a doctor who lives in Dallas and who has a Greenville, TX, practice. They had apparently been dumped there by a contractor who was hired to remodel his house. The contractor was indicted on a charge of illegal dumping. Sept. 23, 2006....................... Erlanger Health System Records of hospital 4,150 current and (Chattanooga, TN). employees disappeared former employees. from a locked office on Sept. 15. They were stored on a USB ``jump drive.'' Information was limited to names and SSNs. Those affected included anyone who went through job ``status changes'' from Nov. 2003 to Sept. 2006. Sept. 25, 2006....................... Movie Gallery A large number of Movie Unknown. (Gastonia, NC). Gallery's files and videos were found in a dumpster. The files contained personal information of people employed by Movie Gallery and people applying for jobs at the video store as well as people applying for movie rental membership. Movie Gallery has agreed to pay $50,000 to the State of NC. Sept. 25, 2006....................... General Electric (US An employee's laptop 50,000 employees. Corporate HQ: computer holding the Fairfield, CT). names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business. Sept. 28, 2006....................... North Carolina Dept. of A computer was stolen 16,000 Motor Vehicles from a NC Dept. of (Louisville, NC) (888) Motor Vehicles office, 495-5568. reported Sept. 10. It contains names, addresses, driver's license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in the past 18 months. Most are residents of Franklin County. Sept. 28, 2006....................... Illinois Dept. of Documents found by 40 Transportation state auditors in (Springfield, IL). recycling bins in a hallway contained IDOT employee names and SSNs. Sept. 28, 2006....................... Stevens Hospital A manager for the ``about 30 patients''. Emergency Room via hospital's billing dishonest employee of company, Med Data, billing company Med stole patients' credit Data (Edmonds, WA). card numbers. She gave them to her brother who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and her brother's trial is expected Jan. 2007. Sept. 29, 2006....................... University of Iowa Dept A computer containing 14,500 individuals who of Psychology (Iowa SSNs of 14,500 had participated in a City, IA). psychology department research study. research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution. Sept. 29, 2006....................... Kentucky Personnel State employees 146,000 Cabinet (Frankfort, received letters from KY). the Kentucky Personnel Cabinet with their SSNs visible through the envelope windows. Sept. ??, 2006....................... Adams State College A laptop computer 184 Upward Bound (Alamosa, CO). stolen from a locked students. closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data. Oct. 2, 2006......................... Port of Seattle Six CDs missing from 6,939 current and (Seattle, WA) (888) the ID Badging office former Seattle-Tacoma 902-PORT. at Seattle-Tacoma International Airport International Airport employees. hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2. Oct. 3, 2006......................... Cumberland County, PA.. Cumberland County (PA) 1,200 employees of the officials removed county. salary board meeting minutes from their Web site because they contained the SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with their paychecks. Oct. 3, 2006......................... Willamette Educational Seven computers stolen 4,500 Oregon high Service District from a Willamette school students [not (Salem, OR). Educational service included in total District office were because not thought to believed to contain contain sensitive personal information info. such as SSNs]. of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school clubs but do not contain sensitive information. Oct. 3, 2006......................... Picatinny Arsenal 28 computers are Unknown. (Rockaway Twp., NJ) missing from the (If you have tips, Picatinny Arsenal, a call (973) 989-0652). Department of Defense Weapons Research Center. The computers were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did not contain classified information. Oct. 4, 2006......................... Orange County A Florida woman Unknown. Controller (FL). discovered her marriage license was visible on the Orange County (FL) controller's Web site with no information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name. The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008. Oct. 5, 2006......................... San Juan Capistrano Five computers stolen Unknown. Unified School from the HQ of San District (CA). Juan Capistrano Unified School District likely contain the names, SSNs and dates of birth of district employees enrolled in an insurance program. Oct. 6, 2006......................... Cleveland Air Route A computer hard drive At least 400. Traffic Control Center missing from the (Oberlin, OH). Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and SSNs of at least 400 air traffic controllers. Oct. 6, 2006......................... Camp Pendleton Marine A laptop missing from 2,400 Corps base via Lincoln Lincoln B.P. B.P. Management (Camp Management Inc. holds Pendleton near personally Oceanside, CA). identifiable data about 2,400 Camp Pendleton residents. Oct. 9, 2006 (Letter mailed Oct. 5, Troy Athens High School A hard drive stolen 4,400 2006). (Troy, MI) (For from Troy Athens High questions or comments, School in August call (248) 823-4035). contained transcripts, test scores, addresses and SSNs of students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected alumni by regular mail. Oct. 10, 2006........................ Florida Labor The names and SSNs of 4,624 individuals who Department. 4,624 Floridians were had registered with accessible on the Florida's Agency for Internet for Workforce Innovation. approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail. Oct. 11, 2006........................ Republican National The Republican National 76 RNC donors. Committee (Washington, Committee (RNC) D.C.). inadvertently emailed a list of donors' names, SSNs and races to a New York Sun reporter. Oct. 12, 2006........................ U.S. Census Bureau..... This spring, residents Unknown number of of Travis County, TX Travis Co., TX, helped the Census residents. Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs. Oct. 12, 2006........................ Congressional Budget Hackers broke into the Unknown number of e- Office (Washington, Congressional Budget mail addresses. D.C.). Office's mailing list and sent a phishing e- mail that appeared to come from the CBO. Oct. 12, 2006........................ University of Texas at Two computers stolen 2,500 students. Arlington. from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2. Oct. 13, 2006........................ Ohio Ethics Committee Papers belonging to the Unknown number of Ohio (Columbus, OH). Ohio Ethics Commission state employees. were found floating on the wind in an alley. The documents are related to state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the state archives. Oct. 13, 2006........................ Orchard Family Practice When a bankrupt Unknown. (Englewood, CO). Colorado doctor was evicted from his office, the landlord with help from the sheriff's dept. dumped everything from his office in the parking lot, including file cabinets containing personal information of his patients. Scavengers were seen carting off desks and file cabinets, some containing records. The exposed documents were thought to consist of business records containing names, SSNs, dates of birth, and addresses, but not medical information, which the doctor had previously removed. Oct. 14, 2006........................ T-Mobile USA Inc. A laptop computer 43,000 current and (Bellvue, WA). holding personally former employees. identifiable information of approximately 43,000 current and former T- Mobile employees disappeared from a T- Mobile employee's checked luggage. T- Mobile has reportedly sent letters to all those affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information. Oct. 15, 2006........................ Poulsbo Department of An unspecified 2,200 Licensing (Poulsbo, ``storage device'' WA). containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's license numbers of individuals who conducted transactions at the Poulsbo branch in late September. Oct. 16, 2006........................ Germanton Elementary A computer stolen from Unknown. School (Germanton, NC). Germanton Elementary school holds students' SSNs. The data on the computer are encrypted. Oct. 16, 2006........................ VISA/FirstBank......... FirstBank sent a letter Unknown. to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were compromised when someone accessed ``a merchant card processor's transaction database.'' The FirstBank letter said customers would receive new cards by October 27. Oct. 16, 2006........................ Dr. Charles Kay of Sheriff's deputies Unknown. Orchard Family evicting Dr. Charles Practice (Englewood, Kay put files from his CO). office in a nearby parking lot. In a news report, Dr. Kay said he had removed the patient files but not the business files. Oct. 17, 2006........................ City of Visalia, Personally identifiable 200 current and former Recreation Division information of employees. (Visalia, CA). approximately 200 current and former Visalia Recreation Department employees was exposed when copies of city documents were found scattered on a city street. Oct. 19, 2006........................ Allina Hospitals and A laptop stolen from a Individuals in 17,000 Clinics (Minneapolis- nurse's car on October households. St. Paul, MN). 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home- care program since June 2005. Oct. 19, 2006........................ University of Minnesota/ In June, a University 200 students (not Spain. of Minnesota art included in total). department laptop computer stolen from a faculty member while traveling in Spain holds personally identifiable information of 200 students. Oct. 20, 2006........................ Manhattan Veteran's On Sept. 6, an 1,600 veterans who Affairs Medical unencrypted laptop receive pulmonary care Center, New York computer containing at the facility. Harbor Health Care veterans' names, System (New York, NY). Social Security numbers, and medical diagnosis, was stolen from the hopsital. Oct. 21, 2006........................ Bowling Green Police The police dept. Approx. 200 victims or Dept. (Bowling Green, accidentally published suspects. OH). a report on their website containing personal information on nearly 200 people the police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc. Oct. 23, 2006........................ Sisters of St. Francis On July 28, 2006, a 260,000 patients and Health Services via contractor working for about 6,200 employees, Advanced Receivables Advanced Receivables board members and Strategy (ARS), a Strategy, a medical physicians for a total Perot Systems Company billing records of 266,200. (Indianapolis, IN) company, misplaced CDs (866) 714-7606. containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. Oct. 23, 2006........................ Chicago Voter Database An official from the 1.35 million Chicago (Chicago, IL). not-for-profit residents. Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion. Oct. 24, 2006........................ Jacobs Neurological The laptop of a Unknown. Institute (Buffalo, research doctor was NY). stolen from her locked office at the Institute. It included records of patients and her research data. Oct. 25, 2006........................ Transportation Security A thumb drive is 900 current and former Administration (TSA) missing from the TSA Oregon TSA employees. (Portland, OR). command center at Portland International Airport and believed to contain the names, addresses, phone numbers and Social Security numbers of approximately 900 current and former employees. Oct. 25, 2006........................ Swedish Medical Center, An employee stole the Up to 1,100 patients. Ballard Campus names, birthdates, and (Seattle, WA) (800) Social Security 840-6452. numbers from patients who were hospitalized or had day-surgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts. Oct. 25, 2006........................ Tuscarawas County and The Social Security Unknown. Warren County (OH). numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet database service. UPDATE (11/1/06): LexisNexis says it has now removed the SSNs. Oct. 26, 2006........................ Akron Children's Overseas hackers broke 235,903 Hospital (Akron, OH). into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. Oct. 26, 2006........................ Empire Equity Group Mortgage files that Unknown. (Charlotte, NC). included personal financial details about loan applicants were found in a dumpster. Empire Equity will pay $12,500 to the State of NC. Oct. 26, 2006........................ LimeWire (Denver, CO).. The Denver Police Dept. 75 reports that LimeWire's file- sharing program was exploited to access personal and financial information from approximately 75 different individual and business account names from all over the country. The information, which included tax records, bank account information, online bill paying records and other material, appears to have been stolen directly from computers that were using LimeWire's filesharing software program. Oct. 26, 2006........................ Hilb, Rogal & Hobbs In September 2006, a 1,243 Villanova (Plymouth Meeting, PA). laptop computer was University students stolen from the and staff. insurance brokerage firm. It contained client information including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university vehicles. Oct. 27, 2006........................ Gymboree (San A thief stole 3 laptop up to 20,000 employees. Francisco, CA). computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers. Oct. 27, 2006........................ Hancock Askew & Co. On October 5, 2006, a Unknown. (Savannah, GA). laptop computer containing 401(k) information for employees of at least one company (Atlantic Plastics, Inc.) was stolen from accounting firm Hancock Askew. Oct. 27, 2006........................ Hertz Global Holdings, The names and Social Unknown. Inc. (Oklahoma City, Security numbers of OK) 1-888-222-8086. Hertz employees dating back to 2002 were discovered on the home computer of a former employee. Oct. 30, 2006........................ Georgia county clerk of A Georgia TV station Unknown. courts' web sites. reported that SSNs could be found on some records posted on county clerk of court web sites, specifically for individuals with federal tax liens filed against them. At least one county clerk--Cherokee County--is now removing SSNs from the web site. Oct. 30, 2006........................ Nissan Motor Co., Ltd. The Japanese weekly 5,379,909 customers (Tokyo, Japan). magazine ``The Weekly (not included in total Asahi'' reported that because data Nissan experienced the apparently does not leak of a database contain financial containing customers' account information or personal information SSNs). sometime between May 2003 and February 2004. The data includes the customer name, gender, birth date, address, telephone number, vehicle model owned (including base and class), and license plate number. Oct. 31, 2006........................ Avaya (theft occurred A laptop stolen from an Unknown. in Maitland, FL, Avaya employee on office of company, October 16 in Florida headquartered in contained personally Basking Ridge, NJ). identifiable information, including names, addresses, W-2 tax form information and SSNs. Nov. 2006............................ Home Finance Mortgage, Company dumped files Unknown. Inc. (Cornelius, NC). containing names, addresses, Social Security numbers, credit card numbers, and bank account numbers of people who had applied for mortgage loans. Home Finance and its owners have agreed to pay the State of NC $3,000 for their violations. Nov. 1, 2006......................... U.S. Army Cadet Command A laptop computer was 4,600 high school (Fort Monroe, VA) 1- stolen that contained seniors. 866-423-4474 Email: the names, addresses, mydata@ usaac.army.mil. telephone numbers, birthdates, Social Security numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. Nov. 2, 2006......................... Colorado Dept. of Human On Oct. 14, a desktop Up to 1.4 million. Services via computer was stolen Affiliated Computer from a state Services (ACS) contractor who (Dallas, TX). For processes Colorado questions, call ACS at child support payments (800) 350-0399. for the Dept. of Human Services. Computer also contained the state's Directory of New Hires. UPDATE (12/07/2006): When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed. Nov. 2, 2006......................... Greater Media, Inc. A laptop computer Unknown. (Philadelphia, PA). containing the Social Security numbers of the radio broadcasting company's current and former employees was stolen from their Philadelphia offices. Nov. 2, 2006......................... McAlester Clinic and Three disks containing 1,400 veterans. Veteran's Affairs billing information, Medical Center patient names and (Muskogee, OK). Social Security numbers, were lost in the mail. Nov. 2, 2006......................... Intermountain Health A computer was 6,244 Care (Salt Lake City, purchased at a second- UT). hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 1999- 2000. Nov. 2, 2006......................... Compulinx (White The CEO of Compulinx Up to 50 Compulinx Plains, NY). was arrested for employees. fraudulently using employees' names, addresses, Social Security numbers and other personal information for credit purposes. (It is unclear whether customers' data was also used). Nov. 3, 2006......................... University of Virginia Due to a computer 632 students. (Charlottesville, VA). programming error, Student Financial Services sent e-mail messages to students containing 632 other students' Social Security numbers. Nov. 3, 2006......................... West Shore Bank Customers' debit cards About 1,000. (Ludington, MI). and possibly credit cards were compromised from a security break last summer at a common MasterCard point-of-purchase provider. Nov. 3, 2006......................... Wesco (Muskegon, MI)... Wesco gas stations Unknown. experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to customer accounts. Nov. 3, 2006......................... Starbucks Corp. Starbucks lost track of 60,000 current and (Seattle, WA) 1-800- four laptop computers. former U.S. employees 453-1048. Two held employee and about 80 Canadian names, addresses, and workers and Social Security contractors. numbers. Nov. 3, 2006......................... Several Joliet area Motel owners and Unknown. motels (Joliet, IL). employees allegedly stole and sold customers' credit card numbers. Nov 7, 2006.......................... City of Lubbock Hackers broke into the 5,800 (Lubbock, TX). city's web site and compromised the online job application database, which included Social Security numbers. Nov. 9, 2006......................... Four ARCO gas stations From Sept. 29 to Oct. At least 440. (Costa Mesa, CA) 9, thieves used card (Westminster, CA) skimmers to steal bank (Torrance, CA). account numbers and PIN codes from gas station customers and used the information to fabricate debit cards and make ATM withdrawals. Nov. 10, 2006........................ KSL Services, Inc. (Los A disk containing the Approximately 1,000. Alamos, NM). personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los Alamos National Laboratory. Nov. 13, 2006........................ Connors State College On Oct. 15, a laptop Considerably more than (Warner, OK) (918) 463- computer was 22,500. 6267 discovered stolen from [email protected] the college. (It has du. since been recovered by law enforcement). The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who qualify for the Oklahoma Higher Learning Access Program scholarships. Nov. 15, 2006........................ Internal Revenue According to 2,359 Service (Washington, document(s) obtained DC). under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. UPDATE (04/05/07): A report by the Treasury Inspector General for Tax Administration noted that at least 490 IRS computers have been stolen or lost since 2003 in 387 security breach incidents that potentially jeopardized tax payers' personal information. UPDATE (04/17/07): The Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers and taxpayer data using wireless technology. Nov. 16, 2006........................ American Cancer Society An unspecified number Unknown. (Louisville, KY, of laptop computers offices, HQ in were stolen from the Atlanta, GA) If you Louisville offices of have tips, call (502) the American Cancer 574-5673. Society. It is not clear what personal information was exposed, if any. Nov. 16, 2006........................ Carson City residents The Sheriff's 50 (Carson City, NV). Department reported that at least 50 residents had their credit card information stolen by employees of local businesses. The employees apparently sell the account information to international crime rings that produce counterfeit cards. The crime is called ``skimming.''. Nov. 17, 2006........................ Jefferson College of An email containing the 143 Health Sciences names and SSNs of 143 (Roanoke, VA). students intended for one employee was inadvertently sent to the entire student body of 900. Nov. 17, 2006........................ Automatic Data ADP sent paperwork for Unknown. Processing (ADP) a small Wisconsin (Roseland, NJ). company to a Cordova, TN coffee house. The paperwork contained names, birth dates, SSNs, addresses, salaries, and bank account and routing numbers. Nov. 20, 2006........................ Administration for More than 200 case 200 case files (not Children's Services files from the included in Total (New York, NY). Emergency Children's because it is not Services Unit of ACS clear if SSNs were were found on the exposed). street in a plastic garbage bag. The files contain sensitive information of families, social workers and police officers. Nov. 25, 2006........................ Indiana State Two computers stolen 7,700 Department of Health from an Indiana state via Family Health health department Center of Clark County contractor contained (Jeffersonville, IN). the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the state's Breast and Cervical Cancer Program. Nov. 27, 2006........................ Johnston County, NC.... Personal data, Unknown. including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site. The information was removed from the site within an hour after officials became aware of the situation. Nov. 27, 2006........................ Greenville County School district At least 101,000 School District computers sold to the students and (Greenville, SC). WH Group at auctions employees. between 1999 and early 2006 contained the birth dates, SSNs, driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers also held sensitive data for more than 1,000 school district employees. UPDATE (12/10/06): A judge ordered the WH Group to return the computers and the confidential data on them to the school district. Nov. 27, 2006........................ Chicago Public Schools A company hired to 1,740 former Chicago via All Printing & print and mail health Public School Graphics, Inc. insurance information employees. (Chicago, IL). to former Chicago Public School employees mistakenly included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125-page list of the 1,740 former employees. Nov. 28, 2006........................ Kaiser Permanente A laptop was stolen 38,000 (not included in Colorado--its Skyline from the personal car total, because SSNs and Southwest offices of a Kaiser employee were apparently not (Denver, CO) For in California on Oct. exposed). members who have 4. It contained names, questions: (866) 529- Kaiser ID number, date 0813. of birth, gender, and physician information. The data did not include SSNs. Nov. 28, 2006........................ Cal State Los Angeles, An employee's USB drive 2,534 Charter College of was inside a purse Education (Los stolen from a car Angeles, CA) (800) 883- trunk. It contained 4029. personal information on 48 faculty members and more than 2,500 students and applicants of a teacher credentialing program. Information included names, SSNs, campus ID numbers, phone numbers, and e- mail addresses. Nov. 30, 2006........................ Pennsylvania Dept. of Thieves stole equipment 11,384 Transportation from a driver's (Hanover township license facility late driver's license evening Nov. 28, facility, Dunmore, PA) including computers Affected individuals containing personal can call (800) PENNDOT information on more if you have questions. than 11,000 people. Call PA Crimestoppers Information included if you have tips, names, addresses, (800) 4PATIPS, reward dates of birth, offered. driver's license numbers and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers licenses and photo IDs. The state maintains 97 driver's license facilities. Nov. 30, 2006........................ TransUnion Credit Four different scam ``more than 1,700 Bureau via Kingman, companies downloaded people''. AZ, court office. the credit information of more than 1,700 individuals, including their credit histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman, AZ, court office, which apparently has a subscription to the bureau's services. Dec. 1, 2006......................... TD Ameritrade According to a letter about 300 current and (Bellevue, NE) (201) sent to employees, a former employees. 369-8373. laptop was removed (presumably stolen) from the office Oct. 18, 2006, that contained unencrypted information including names, addresses, birthdates, and SSNs. Dec. 2, 2006......................... Gundersen Lutheran A Medical Center Unknown. Medical Center employee used patient (LaCrosse, WI). information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint. Dec. 3, 2006......................... City of Grand Prairie Employees of the city ``hundreds of (Grand Prairie, TX). of Grand Prairie were employees''. notified that personal records were exposed on the city's Web site for at least a year. Included were the names and SSNs of ``hundreds of employees.'' The information has since been removed. The city had been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and SSNs were mistakenly listed. Dec. 5, 2006......................... Army National Guard A laptop was stolen Unknown. 130th Airlift Wing from a member of the (Charleston, WV). unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing. Dec. 5, 2006......................... Nassau Community A printout is missing 21,000 students. College (Garden City, that contans NY). information about each of NCC's 21,000 students, including names, SSNs, addresses, and phone numbers. It disappeared from a desk in the Student Activities Office. Dec. 5, 2006......................... H&R Block.............. Many past and present Unknown. customers received unsolicited copies of the program TaxCut that displayed their SSN on the outside. Dec. 6, 2006......................... Premier Bank (Columbia, A report was stolen the 1,800 customers. MO, with HQ in evening of Nov. 16 Jefferson City, MO). from the car of the bank's VP and CFO while employees were celebrating an award received by the bank. The document contained names and account numbers of customers, but reportedly no SSNs. Dec. 8, 2006......................... Segal Group of New Names and SSNs of ``several hundred, York, via web site of ``several hundred'' likely more'' health Vermont state agency physicians, care providers. used to call for bids psychologists and UPDATE (1/14/07): SSNs on state contracts other health care of ``more than 1,100 (Montpelier, VT). providers were doctors, mistakenly posted psychotherapists and online by Segal Group, other health a contractor hired by professionals'' were the state to put its exposed. health management contract out for bid. The information was posted from May 12 to June 19. It was discovered when a doctor found her own SSN online. Dec. 9, 2006......................... Virginia Commonwealth Personal information of 561 students. University (Richmond, 561 students was VA). inadvertently sent as attachments on Nov. 20 in an e-mail, including names, SSNs, local and permanent addresses and grade- point averages. The e- mail was sent to 195 students to inform them of their eligibility for scholarships. Dec. 12, 2006........................ University of Hacker(s) gained access 800,000 California--Los to a UCLA database Angeles (Los Angeles, containing personal CA) Affected information on current individuals can call and former students, UCLA at (877) 533- current and former 8082. faculty and staff, www.identityalert.ucla parents of financial .edu. aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters. Dec. 12, 2006........................ University of Texas-- The University 35,000 current and Dallas (Dallas, TX) discovered that former students, Affected individuals personal information faculty, staff, and can call (972) 883- of current and former others. 4325. www.utdallas.edu/ students, faculty datacompromise/ members, and staff may form.html. have been exposed by a computer network intrusion--including names, SSNs, home addresses, phone numbers and e-mail addresses. UPDATE (12/14/06): The number of people affected was first thought to be 5,000, but was increased to 6,000. UPDATE (01/19/07): Officials now say 35,000 individuals may have been exposed. Dec. 12, 2006........................ Aetna/Nationwide/ A lockbox holding 130,000 plus 42,000 Wellpoint Group Health personal information reported later plus Plans via Concentra of health insurance 28,279 reported later. Preferred Systems customers was stolen (Dayton, OH). Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC. UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.). UPDATE (1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised. Dec. 13, 2006........................ Boeing (Seattle, WA)... In early December, a 382,000 current and laptop was stolen from former employees. an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees. UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen. UPDATE (1/26/07): The laptop was recovered. NOTE:................................ The 100 million mark Click here for a news Please note: The number was reached Dec. 13, story in IDG about refers to *records,* 2006. this dubious NOT persons. Many milestone. And read individuals have Poulsen and Singel in experienced more than Wired Blogs. Here is one breach. For a an article from commentary by VNUnet, and another PogoWasRight on this from Washington Post. matter, click here. Read also the NY Times and GovExec. The major source for the breaches reported in this list is the list-serve and web site of Attrition.org. Dec. 14, 2006........................ Electronic Registry On Nov. 23, 2006, two More than 63,000 Systems affecting computers (one patients. Emory University desktop, one laptop) (Emory Hospital, Emory were stolen from Crawford Long Electronic Registry Hospital, Grady Systems, a business Memorial Hospital), contractor in suburban Geisinger Health Springdale, OH, that System (Pennyslvania), provides cancer Williamson Medical patient registry data Center (Nashville, TN). processing services. It contained the personal information (name, date of birth, Social Security number, address, medical record number, medical data and treatment information) of cancer patients from hospitals in Pennsylvania , Tennessee , Ohio and Georgia , dating back to 1977 at some hospitals. UPDATE (1/14/07): The number of affected patients was increased from 25,000 to 63,000. Dec. 14, 2006........................ Riverside High School Two students discovered ``thousands of school (Durham, NC). a breach in the employees''. security of a Durham Public Schools computer as part of a class assignment. They reported to school officials that they were able to access a database containing SSNs and other personal information of thousands of school employees. The home of one student was searched by Sheriff's deputies and the family computer was seized. Dec. 14, 2006........................ St. Vrain Valley School Paper records 600 students. District (Longmont, containing student CO). information were stolen, along with a laptop, from a nurse's car Nov. 20. Personal information included students' names, dates of birth, names of their schools, what grade they are in, their Medicaid number (presumably SSNs), and their parents' names. The laptop contained no personal data. Dec. 14, 2006........................ Bank of America A former contractor for Unknown. (Charlotte, NC). Bank of America unauthorizedly accessed the personal information (name, address, phone number, Social Security number) of an undisclosed number of customers, for the purpose of committing fraud. Dec. 15, 2006........................ University of Colorado-- A server in the 17,500 Boulder, Academic Academic Advising Advising Center Center was the subject (Boulder, CO) of a hacking attack. www.colorado.edu. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002- 2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators. Dec. 15, 2006........................ City of Wickliffe Hackers breached 125 employees. (Wickliffe, OH). security in one of the city's three computer servers containing personal information on some city employees, including names and SSNs. Dec. 19, 2006........................ Mississippi State SSNs and other personal 2,400 students and University (Jackson, information were emplolyees. MS). ``inadvertently'' posted on a publicly accessible MSU Web site. The breach was discovered ``last week'' and the information has since been removed. Dec. 20, 2006........................ Lakeland Library Personal information of 15,000 library users. Cooperative--serving 15,000 library users 80 libraries in 8 in West Michigan was counties (Grand displayed on the Rapids, MI). Cooperative's Web site due to a technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library card numbers. Children's names were also listed along with their parents' names on a spreadsheet document. The information has since been removed. Dec. 20, 2006........................ Big Foot High School Personal information 87 current and former (Walworth, WI). was accidentally employees. exposed on the High School's Web site for a short time, perhaps for about 36 minutes, according to a report. Information included last names, SSNs, and birthdates. Dec. 20, 2006........................ Lake County residents, A Chicago man 27 residents of Lake plus Major League apparently removed County plus about 90 Baseball players documents from a trash current and retired (Northbrook, IL). bin outside SFX Major League Baseball Baseball Inc., a players for a total of sports agency that 117 individuals. deals with Major League Baseball. He used information found on those documents to commit identity theft on at least 27 Lake County residents. Information found during a search of the thief's home included SSNs, birthdates, canceled paychecks, obituaries, and infant death records. Dec. 20, 2006........................ Deb Shops, Inc. A hacker illegally Unknown. (Philadelphia, PA) accessed company Web (800) 460-9704. pages and a related data base used for Internet-based purchases. The intruder may have accessed customers' credit card information including names on cards and credit card numbers. Dec. 21, 2006........................ Santa Clara County A computer stolen from 2,500 employment agency the agency holds the (Santa Clara County, SSNs of approximately CA). 2,500 individuals. Dec. 22, 2006........................ Texas Woman's A document containing 15,000 students. University (Dallas, names, addresses and Denton, and Houston, SSNs of 15,000 TWU TX). students was transmitted over a non- secure connection. Dec. 27, 2006........................ Montana State A student working in 259 students. University (Bozeman, the loan office MT). mistakenly sent packets containing lists of student names, Social Security numbers, and loan information to other students. Dec. 28, 2006........................ U.S. State Department.. A bag containing 700 (not included in approximately 700 total.) completed passport applications was reported missing on December 1. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los Angeles International Airport. Dec. 30, 2006........................ KeyCorp (Cleveland, OH) A laptop computer 9,300 stolen from a KeyCorp vendor contains personally identifiable information, including SSNs, of 9,300 customers in six states. ---------------------------------------------------------------------------------------------------------------- 2007 ---------------------------------------------------------------------------------------------------------------- Jan. 1, 2007......................... Wisconsin Dept. of Tax forms were mailed 171,000 taxpayers. Revenue via Ripon to taxpayers in which Printers (Madison, WI) SSNs were (608) 224-5163 inadvertently printed www.privacy.wi.gov. on the front of some Form 1 booklets. Some were retrieved before they were mailed. Jan. 2, 2007......................... Deaconess Hospital A computer missing from 128 patients. (Evansville, IN). the hospital holds personal information, including SSNs, of 128 respiratory therapy patients. Jan. 2, 2007......................... Notre Dame University A University Director's Unknown. (Notre Dame, IN, South laptop was stolen Bend, IN). before Christmas. It contained personal information of employees, including names, SSNs, and salary information. Jan. 2, 2007......................... News accounts are not About 40 boxes of Unknown. clear as to source, financial paperwork, but thought to be a thought to be from realty office (Las loan applications, was Vegas, NV). found in a dumpster. One of the boxes visible to news reporters was said to contain paperwork with bank account details, photocopies of driver's licenses, SSNs and ``other private information.''. Jan. 4, 2007......................... Selma, NC, Water A laptop stolen from Unknown. Treatment Plant the water treatment (Johnston County, NC). facility holds the names and SSNs of Selma volunteer firefighters. Jan. 4, 2007......................... Unnamed medical center, An individual found Unknown. via Newark Recycling unshredded medical Center (Stockton, CA). records in 36 boxes at the Newark Recycling Center. Jan. 5, 2007......................... Dr. Baceski's office, A hard drive was stolen ``hundreds of internal medicine containing personal patients''. (Somerset, PA). information on ``hundreds of patients.''. Jan. 9, 2007......................... Altria, the parent 5 laptops were stolen 18,000 past and present company of Philip from Towers Perrin, employees, presumably Morris (Kraft Foods), allegedly by a former of Altria (total also United employee. The theft number of affected Technologies, via occurred Nov. 27, individuals is benefits consultant, 2006. The computers unknown). Towers Perrin. (New contain names, SSNs, York, NY). and other pension- related information, presumably of several companies, although news reports are not clear. UPDATE (1/11/07): NY police arrested ``a junior-level administrative employee'' of the company in the theft of the laptops. Jan. 10, 2007........................ University of Arizona Breaches occurred in Unknown. (Tucson, AZ). November and December 2006 that affected services with UA Student Unions, University Library, and UA Procurement and Contracting Services. Some services were shut down for several days. Jan. 11, 2007........................ University of Idaho, Over Thanksgiving 70,000 Advancement Services weekend, 3 desktop office (Moscow, ID) computers were stolen (866) 351-1860 from the Advancement www.identityalert. Services office uidaho.edu. containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSNs, names and addresses. Jan. 12, 2007........................ MoneyGram International MoneyGram, a payment 79,000 (Minneapolis, MN). service provider, reported that a company server was unlawfully accessed over the Internet last month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and in some cases, bank account numbers. Jan. 13, 2007........................ North Carolina Dept. of A laptop computer 30,000 taxpayers. Revenue (Raleigh, NC). containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December. The files included names, SSNs or federal employer ID numbers, and tax debt owed to the state. Jan. 16, 2007........................ University of New At least 3 computers Unknown. Mexico (Albuquerque, and 4 monitors were NM). stolen from the associate provost's office overnight between Jan. 2 and 3. They may have included faculty members' names and SSNs. Jan. 17, 2007........................ TJ stores (TJX), The TJX Companies Inc. 45,700,000 credit and including TJMaxx, experienced an debit card account Marshalls, Winners, ``unauthorized numbers. HomeSense, AJWright, intrusion'' into its 455,000 merchandise TKMaxx, and possibly computer systems that return records Bob's Stores in U.S. & process and store containing customer Puerto Rico--Winners customer transactions names and driver's and HomeGoods stores including credit card, license numbers. in Canada--and debit card, check, and possibly TKMaxx stores merchandise return in UK and Ireland transactions. It (Framingham, Mass.) discovered the U.S.: Call (866) 484- intrusion mid-December 6978 Canada: (866) 903- 2006. Transaction data 1408 U.K. & Ireland: from 2003 as well as 0800 77 90 15 mid-May through www.tjx.com. December 2006 may have been accessed. According to its Web site, TJX is ``the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.''. UPDATE (2/22/07): TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on ``various subsequent dates'' that year. UPDATE (3/21/07): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials. UPDATE (3/29/07): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers. UPDATE (4/22/07): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005. UPDATE (04/26/07): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling ``tens of millions of dollars'' incurred for replacing customers' debit and credit cards. UPDATE (05/04/07): An article in the WSJ notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held price- checking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards. Jan. 17, 2007........................ Rincon del Diablo 2 computers were stolen 500 customers. Municipal Water from the district District (Escondido, office. One included CA, plus names and credit card unincorporated numbers of customers. neighborhoods outside the city, and parts of San Marcos and San Diego, CA) (760) 745- 5522. Jan. 18, 2007........................ KB Home (Charleston, A computer was stolen 2,700 SC). from one of the home builder's offices. It likely contained names, addresses, and SSNs of people who had visited the sales office for Foxbank Plantation in Berkeley County near Charleston. Jan. 19, 2007........................ U.S. Internal Revenue 26 IRS computer tapes Unknown. Service via City of containing taxpayer Kansas City (Kansas information were City, MO). reported missing after they were delivered to City Hall. They potentially contain taxpayers' names, SSNs, bank account numbers, or employer information. The 26 tapes were the entire shipment received by the City last August. The disappearance was noticed late December 2006. Jan. 22, 2007........................ U.S. Dept. of Veteran's Folders of veterans' Unknown. Affairs (Seattle, WA). personal information were stolen from a locked car in Bremerton, WA. News stories are not clear on the type of information contained in the folders. Jan. 22, 2007........................ Chicago Board of About 100 computer 1.3 million voters. Elections (Chicago, discs (CDs) with 1.3 IL). million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. CDs also contain birth dates and addresses. Jan. 23, 2007........................ Rutgers-Newark An associate 200 students. University, Political professor's laptop was Science Dept. (Newark, stolen, containing NJ). names and SSNs of 200 students. Rutgers no longers uses SSNs as student IDs, but student IDs from past years are still SSNs. Jan. 25, 2007........................ Clay High School A former high school Unknown. (Oregon, OH). student obtained sensitive staff and student information through an apparent security breach. The data was copied onto an iPod and included names, birth dates, SSNs, addresses, and phone numbers. Jan. 25, 2007........................ Ohio Board of Nursing The agency's Web site 3,031 newly licensed (Columbus, OH). posted names and SSNs nurses. of newly licensed nurses twice in the past 2 months. SSNs were supposed to have been removed before posting. Jan. 25, 2007........................ Washiawa Women, Infants A WIC employee 11,500 current and and Children program apparently stole the former clients. (WIC) (Honolulu, HI) personal information (808) 586-8080 of agency clients, www.hawaii.gov. including SSNs, and committed identity theft on at least 3 families and perhaps 2 more. The Health Director said the agency will no longer use SSNs in its data base. Jan. 26, 2007........................ Indiana Dept. of The names and SSNs of 4,000 employees. Transportation INDOT employees were (Indianapolis, IN). inadvertently posted on an internal network computer drive sometime between Sept. 6 and Dec. 4, 2006. Jan. 26, 2007........................ Vanguard University On Jan. 16, 2 computers 5,015 financial aid (Costa Mesa, CA) (800) were discovered stolen applicants for 2005- 920-7312 from the financial aid 2006 and 2006-2007 www.identityalert. office. Data included school years. vanguard.edu. names, SSNs, dates of birth, phone numbers, driver's license numbers, and lists of assets. Jan. 26, 2007........................ WellPoint's Anthem Blue Cassette tapes 196,000 customers. Cross Blue Shield containing customer (Virginia) (800) 284- information were 9779. stolen from a lock box held by one of its vendors. Data included names and SSNs. Jan. 26, 2007........................ Chase Bank and the A Bossier woman bought 4,100 current and former Bank One, now a used desk from a former employees merged (Shreveport, furniture store. She ``from all over LA). discovered a 165-page Louisiana.'' spread sheet in a drawer that included names and SSNs of bank employees. The document was returned to the bank. Jan. 26, 2007........................ Eastern Illinois A desktop computer was 1,400 currently University stolen from the enrolled students. (Charleston, IL). Student Life office containing membership rosters--including SSNs, birthdates, and addresses--of the University's 23 fraternities and sororities. A hard drive and memory from 2 other computers were also stolen. Jan. 29, 2007........................ Mendoza College of A file of individuals Unknown. Business, Notre Dame who took the GMAT test University (Notre (Graduate Management Dame, IN, South Bend, Admissions Test) was IN). mistakenly left on a computer that was decommissioned. The computer was later reactivated and plugged into the Internet. Its files were available through a file-sharing program. Data included names, scores, SSNs and demographic information from 2001. Feb. 2, 2007......................... Massachusetts Dept. of A former state 1,200 people who Industrial Accidents contractor allegedly submitted claims. (Boston, MA) (800) 323- accessed a workers' 3249 ext. 560 compensation data file www.mass.gov/dia. and stole personal information, including SSNs. The thief used the data to commit identity theft on at least 3 individuals. Feb. 2, 2007......................... Indian Consulate via Visa applications and Unknown. Haight Ashbury other sensitive Neighborhood Council documents were recycling center (San accessible for more Francisco, CA). than a month in an open yard of a recycling center. Information included applicants' names, addresses, phone numbers, birthdates, professions, employers, passport numbers, and photos. A sampling of documents indicated that the paperwork included everyone who applied in the Western states from 2002-2005. Applicants were current and former executives of major Bay Area companies that have operations in India. Feb. 2, 2007......................... Wisconsin Assembly A document containing 109 Assembly members (Madison, WI). personal information and aides. of Wisconsin Assembly members was stolen from a legislative employee's car while she was exercising at a local gym. It contained names, addresses, and SSNs. Feb. 2, 2007......................... University of Missouri, A hacker broke into a 3,799 Research Board Grant UM computer server mid- Application System January and might have (Columbia, MO). accessed personal information, including SSNs, of 1,220 researchers on 4 campuses. The passwords of 2,579 individuals might also have been exposed. Feb. 2, 2007......................... New York Dept. of State The agency's Web site Unknown. (Albany, NY). posted commercial loan documents that mistakenly contained SSNs. The forms are posted to let lenders know the current financial status of loan recipients. Feb. 2, 2007......................... U.S. Dept. of Veteran's An employee reported a 48,000 veterans Affairs, VA Medical portable hard drive UPDATE (2/10/07): VA Center (Birmingham, stolen or missing that increases number of AL) (877) 894-2600. might contain personal affected veterans to information about 535,000, included in veterans including the total below Social Security UPDATE (2/12/07): VA numbers. reported that billing UPDATE (3/19/07): The information for 1.3 VA's Security million doctors was Operations Center has also exposed, referred 250 incidents including names and since July 2006 to its Medicare billing inspector general, codes, not included in which has led to 46 the total below. separate investigations. Feb. 3, 2007......................... CTS Tax Service The computer and hard 800 (Cassopolis, MI). drive of a tax preparation company were stolen. Data included names, bank account numbers, routing numbers, birthdates, SSNs, and addresses. Feb. 6, 2007......................... NY Dept. of Labor Laptop computer 537 (Glenn Falls, NY). containing personal information for people who were employed by 13 Capital Region businesses stolen from state tax auditor's apartment. Feb. 6, 2007......................... Metro Credit Services Files of the defunct ``thousands.'' (Hurst, TX). bill collection company containing medical records, phone bills and Social Security numbers were found in a trash bin. Feb. 7, 2007......................... University of Nebraska An employee 72 (Lincoln, NE). accidentally posted SSNs of 72 students, professors, and staff on UNL's public Web site where they remained for 2 years. They have since been removed. Feb. 7, 2007......................... Johns Hopkins Johns Hopkins reported 52,000 past and present University and Johns the disappearance of 9 employees plus 83,000 Hopkins Hospital backup computer tapes patients. (Baltimore, MD). containing personal information of employees and patients, Eight of the tapes contained payroll information on 52,000 past and present employees, including SSNs and in some cases bank account numbers. The 9th tape contained ``less sensitive'' information about 83,000 hospital patients. Feb. 7, 2007......................... Front Range Ski Shop The shop's Web site was 15,000 customers. (Denver, CO). broken into and customer information including credit card account data may have been accessed. Feb. 7, 2007......................... A Toronto, Ontario, Credit card data for The number is not residence (Canada). more than 35,000 included in the total individuals from below because it is across North America not known how many of were discovered by the affected police when they individuals are from executed a search the U.S. warrant at a Toronto residence. A man has since been arrested on fraud and counterfeiting charges. Feb. 7, 2007......................... Central Connecticut Social Security numbers 750 students. State University (New of about 750 CCSU Britain, CT). students were exposed in the name and address window on envelopes mailed to them. The envelopes were not folded correctly. They contained IRS 1098T forms. Feb. 8, 2007......................... Piper Jaffrey W-2s sent to current ``more than 1,000 (Minneapolis, MN). and former employees employees''. in January included employees' Social Security numbers on the outside of the envelope. Though the numbers were not identified as Social Security numbers, they followed the standard XXX-XX-XXXX format. Executives indicated the mishap was an error by a third-party vendor. Feb. 8, 2007......................... St. Mary's Hospital A laptop was stolen in 130,000 (Leonardtown, MD). December that contained names, SSNs, and birthdates for many of the Hospital's patients. Feb. 9, 2007......................... East Carolina A programming error 65,000 students, University resulted in personal alumni, and staff (Greenville, NC) information of 65,000 members. www.ecu.edu/incident/ individuals being 877-328-6660. exposed on the University's Web site. The data has since been removed. Included were names, addresses, SSNs, and in some cases credit card numbers. Feb. 9, 2007......................... Radford University, A computer security 2,400 children. Waldron School of breach exposed the Health and Human personal information, Services (Radford, VA). including SSNs, of children enrolled in the FAMIS program, Family Access to Medical Insurance Security. Feb. 10, 2007........................ Official Indiana State A hacker gained access 5,600 individuals and Web site www.IN.gov to the State Web site businesses and 71,000 (888) 438-8397 Email: and obtained credit health-care workers. security;concerns@www. card numbers of IN.gov. individuals who had used the site's online services and gained access to Social Security numbers for 71,000 health-care workers. UPDATE (3/22/07): Investigators have identified a teen they believe hacked into the IN.gov as a prank. Feb. 14, 2007........................ Kaiser Medical Center A doctor's laptop was 22,000 patients, but (Oakland, CA) (866) stolen from the apparently only 500 529-0779. Medical Center records contained SSNs containing medical (the latter number is information of 22,000 included in total patients. But only 500 below). records contained SSNs. Feb. 14, 2007........................ Iowa Dept. of Education Up to 600 files of 600 G.E.D. recipients were viewed when the online database was hacked. Files included names, addresses, birthdates, and SSNs of G.E.D. graduates from 1965 to 2002. Feb. 14, 2007........................ Conn. Office of the Personal information of 1,753 State Comptroller state employees (Hartford, CT). including names and Social Security numbers was inadvertently posted on the Internet in a spreadsheet of vendors used by the state. Feb. 15, 2007........................ City College of San Names, grades, and SSNs 11,000 students. Francisco (San were posted on an Francisco, CA) (800) unprotected Web site 436-0108 www.ccsf.edu. after summer session in 1999. CCSF stopped using SSNs as studens IDs in 2002. Feb. 19, 2007........................ Seton Healthcare A laptop with uninsured 7,800 Network (North Austin, patients' names, birth TX). dates and Social Security numbers was stolen last week from the Seton hospital system. The uninsured patients had gone to Seton emergency rooms and city health clinics since July 1, 2005. Feb. 19, 2007........................ Clarksville-Montgomery Staff and faculty 633 County middle and high Social Security schools (Clarksville, numbers, used as TN). employee identification numbers, were embedded in file photos by the company that took yearbook pictures and inadvertently placed in a search engine on school system's Web site. Feb. 19, 2007........................ Stop & Shop Credit and debit card Unknown. Supermarkets (Rhode account information Island and Southern including PIN numbers MA) 877-366-2668. was stolen by high- tech thieves who apparently broke into checkout-line card readers and PIN pads and tampered with them. Feb. 19, 2007........................ Social Security Admin. Files of disability 13 (Milwaukee, WI). applicants containing Social Security numbers, addresses, phone numbers of family members, dates of birth and work history, and detailed medical information were lost/stolen when a telecommuting employee abandoned them in a locked filing cabinet at home after a threat of domestic violence. Several of the files were mailed back to the local SSA office months later; others were found in a dumpster recently, and four were never recovered. Feb. 20, 2007........................ Back and Joint 20 boxes containing ``hundreds''. Institute of Texas Social Security (San Antonio, TX). numbers, photocopies of driver's license numbers, addresses, phone numbers and private medical history of chiropractic patients were found in a dumpster. Feb. 21, 2007........................ Georgia Institute of Personal information of 3,000 Technology (Atlanta, former employees GA) 404-894-2499 mostly in the School [email protected]. of Electrical and Computer Engineering including names, addresses, Social Security number, other sensitive information, and about 400 state purchasing card numbers was compromised by unauthorized access to a Georgia Tech computer account. Feb. 22, 2007........................ Speedmark (Woodlands, Thieves stole several 35,000 TX). computers, one of which contained a database with personally identifying information including names, addresses, e- mail accounts, and Social Security numbers of Speedmark's mystery shopper employees and contractors. Feb. 23, 2007........................ Rabun Apparel Inc., Names and Social 1,006 former subsidiary of Security numbers of Fruit of the Loom former employees were (Rabun Gap, GA). accessible on the Internet from Jan. 15 until Feb. 20. Feb. 28, 2007........................ Gulf Coast Medical Patient information 9,900 Center (Nashville, TN including names and & Tallahassee, FL). Social Security numbers was compromised when two computers went missing. 1,900 individuals were affected by a theft in Nashville, TN in November and 8,000 when another computer was stolen in Tallahassee in February. Mar. 1, 2007......................... Westerly Hospital Patient names, Social 2,242 (Westerly, RI). Security numbers, contact information as well as insurance information were posted on a publicly- accessible Web site. Mar. 2, 2007......................... Calif. Dept. of Health Benefit notification 54 Services (Sacramento, letters containing CA). names addresses, Medicare Part D plan names and premium payment amounts of some individuals enrolled in the California AIDS Drug Assistance Program (ADAP) were mailed to another enrollee. Mar. 3, 2007......................... Metropolitan State A faculty member's 988 College of Denver laptop computer that (Denver, CO) 866-737- contained the names 6622. and Social Security numbers of former students was stolen from its docking station on campus. Mar. 3, 2007......................... Johnny's Selected Seeds Hacker accessed credit 11,500 (Winslow, ME). card account information of online customers. About 20 credit cards have been used fraudulently. Mar. 7, 2007......................... Los Rios Community Student information 2,000 College (Northern including Social Calif.). Security numbers were accessible on the Internet after the school used actual data to test a new onine application process in October. Mar. 7, 2007......................... U.S. Census Bureau Personal information of 302 households. (Washington, D.C.). 302 households including names, addresses, phone numbers, birth dates and family income ranges were posted on a public Internet site multiple times over a five-month period from October 2006 to Feb. 15, 2007 when Census employees working from home tested new software records. Mar. 9, 2007......................... California National A computer hard drive 1,300 Guard (Sacramento, CA). containing Social Security numbers, home addresses, birth dates and other identifying information of California National Guard troops deployed to the U.S.-Mexico border was stolen. Mar. 10, 2007........................ University of Idaho A data file posted to 2,700 (Moscow, ID) the school's Web site www.vandalidentity.net contained personal 888-900-3783. information including names, birthdates and Social Security numbers of University employees. Mar. 12, 2007........................ Dai Nippon (Tokyo, A former contract Unknown. Japan). worker of a Japanese commercial printing company stole nearly 9 million pieces of private data on customers from 43 clients. The stolen data includes confidential information such as names, addresses and credit card numbers intended for use in direct mailing and other printing services. Customers of U.S.-based American Home Assurance Co. and Toyota Motor were affected. Mar. 13, 2007........................ U.S. Dept. of A total of 95 USDA Unknown. Agriculture computers were lost or (Washington, D.C.). stolen between Oct. 1, 2005, and May 31, 2006. Some may have contained personal information such as names, addresses, Social Security numbers and payment information. Two- thirds of the computers contained unencrypted data. Mar. 14, 2007........................ Wellpoint's Empire Blue An unencrypted disc 75,000 Cross and Blue Shield containing patient's unit in NY names, Social Security (Indianapolis, IN) 800- numbers, health plan 293-3443. identification numbers and description of medical services back to 2003 was lost en route to a subcontractor. UPDATE (3/14/07): The subcontrator reported that the CD that was reported missing on Feb. 9 has been found. Mar. 16, 2007........................ Ohio State Auditor A laptop containing 1,950 (Springfield, OH) personal information www.spr.k12.oh.us of current and former Click on Notification employees of of Data Theft. Springfield City Schools including their names and Social Security numbers was stolen from a state auditor employee's vehicle while parked at home in a garage. Mar. 19, 2007........................ Science Applications Barrels filled with Unknown. International Corp. thousands of sensitive (SAIC) (Boise, ID). documents including printed copies of e- mail and performance evaluations along with documents marked ``internal use only-- not for public release'' and ``for official use only'' were found on the curb outside of SAIC's local office. Mar. 20, 2007........................ Health Resources, Inc. From Jan 24, 2007 to 2,031 (Evansville, IN). Feb 6, 2007, a Web site glitch allowed employers with access to private health information to obtain the name, address, Social Security number, dependent names and birthdates of other patients. Mar. 20, 2007........................ Tax Service Plus (Santa Thieves stole the 4,000 Rosa, CA). company's backup computer, which contained financial data on thousands of tax returns dating back three years. Mar. 23, 2007........................ Group Health Two laptops containing 31,000 Cooperative Health names, addresses, Care System (Seattle, Social Security WA). numbers and Group Health ID numbers of local patients and employees have been reported missing. Mar. 23, 2007........................ Swedish Urology Group Three computer hard ``hundreds''. (Seattle, WA). drives with personal files on hundreds of local patients including was stolen. Mar. 26, 2007........................ Fort Monroe (Fort A laptop computer 16,000 Monroe, VA). containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees was stolen from an employee's personal vehicle. Bank account and bank routing information were not included. Mar. 27, 2007........................ St. Mary Parish Personal information 380 (Centerville, LA). including Social Security numbers of St. Mary Parish public school employees was available on the Internet when a Yahoo!Web crawler infiltrated the server of the school's technology department. Mar. 28, 2007........................ RadioShack (Portland, 20 boxes of discarded Unknown. TX). records including sales receipts with credit card numbers spanning from 2001 to 2005 and personal information of store employees were found in a dumpster. UPDATE (04/03/07): The Texas Attorney General's Office filed an action against the Radio Shack store for violating the state's 2005 Identity Theft Enforcement and Protection Act. Mar. 28, 2007........................ TJX Companies--TJ Maxx See initial Jan. 17, See 1/17/07 posting. and Marshalls. 2007 posting for updated numbers and summary of breach information--45.7 million credit and debit card numbers and 455,000 customer return records. Mar. 30 2007......................... Los Angeles County Three laptops 243,000 Child Support Services containing personal (Los Angeles, CA). information including about 130,500 Social Security numbers--most without names, 12,000 individuals' names and addresses, and more than 101,000 child support case numbers were apparently stolen from the department's office. Mar. 30, 2007........................ Naval Station San Three laptops were Unknown. Diego's Navy College reported missing that Office (San Diego, CA) may contain Sailors' (866) U-ASK-NPC. names, rates and [email protected] ratings, Social Security numbers, and college course information. The compromise could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. Mar. 30, 2007........................ Univ. of Montana-- A computer disk 400 Western (Dillon, MT). containing students' Social Security numbers, names, birth dates, addresses and other personal information was stolen from a professor's office. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance. Apr. 4, 2007......................... UC San Francisco (San An unauthorized party 46,000 Francisco, CA) (415) may have accesed the 353-8100) personal information [email protected] including names, http://oaais.ucsf.edu/ Social Security notice. numbers, and bank account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by compromising the security of a campus server. Apr. 5, 2007......................... DCH Health Systems An encrypted disc and 6,000 (Tuscaloosa, AL). hardcopy documents containing retirement benefit information including Social Security numbers and other personal information were lost. Tracking data indicates the package was delivered to the addressee's building, but the intended recipient never received the package. Apr. 5, 2007......................... Security Title Agency Hackers defamed the Unknown. (Phoenix, AZ). company's Web site and may have accessed customer information which is stored on the same server as the site. Apr. 6, 2007......................... Hortica (Edwardsville, A locked shipping case Unknown. IL) (800) 851-7740 of backup tapes securedata@hortica- containing personal insurance.com. information including names, Social Security numbers, drivers' license numbers, and bank account numbers is missing. Apr. 6, 2007......................... Chicago Public Schools Two laptop computers 40,000 (Chicago, IL) (773) contain the names and 553-1142. Social Security numbers of current and former employees was stolen from Chicago Public Schools headquarters. Apr. 9, 2007......................... Turbo Tax.............. Using Turbo Tax online Unknown. to access previous returns, a Nebraska woman was able to access tax returns for other Turbo Tax customers in different parts of the country. The returns contained personal information needed to e-file including bank account numbers with routing digits and Social Security numbers. Apr. 10, 2007........................ Georgia Dept. of A computer disk 2,900,000 Community Health containing personal (Atlanta, GA) (866) information including 213-3969. addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state. Apr. 11, 2007........................ New Horizons Community A laptop computer that 9,000 Credit Union (Denver, contained personal CO). information of members who had loans with the credit union was stolen from Protiviti, a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid. Apr. 11, 2007........................ ChildNet (Ft. An organization 12,000 Lauderdale, FL). responsible for managing Broward County's child welfare system believe a dishonest former employee stole a laptop from the agency's office. It contains personal information of adoptive and foster- care parents including financial and credit data, Social Security numbers, driver's license data and passport numbers. Apr. 11, 2007........................ Black Hills State Univ. Names and Social 56 (Spearfish, SD) (605) Security numbers of 642-6215. scholarship winners were inadvertently posted and publicly available on the university's web site. Apr. 12, 2007........................ Bank of America A laptop containing ``limited'' number of (Charlotte, NC). personal information people. of current, former and retired employees including names, addresses, dates of birth and Social Security numbers was stolen when an employee was a ``victim of a recent break-in.''. Apr. 12, 2007........................ Univ. of Pittsburgh, Personal information 88 Med. Center including names, (Pittsburgh, PA). Social Security numbers, and radiology images of patients were previously included in two medical symposium presentations that were posted on UPMC's Web site. Though the presentation was later removed in 2005, the presentations were apparently inadvertently re- posted on the site and only recently removed again. Apr. 12, 2007........................ GA Secretary of State 30 boxes of Fulton 75,000 (Atlanta, GA). County voter registration cards that contain names, addresses and Social Security numbers were found in a trash bin. Apr. 15, 2007........................ CVS Pharmacy (Liberty, The Attorney General of ``hundreds''. TX). Texas filed a complaint against CVS Pharmacy for illegally disposing of personal information including active debit and credit card numbers, complete with expiration dates and medical prescription forms with customer's name, address, date of birth, issuing physician and the types of medication prescribed. The information was found in a dumpster behind a store that apparently was being vacated. Apr. 18, 2007........................ Ohio State Univ. A hacker accessed the 17,500 (Columbus, OH). names, Social Security numbers, employee ID numbers and birth dates of 14,000 current and former staff members. In a separate incident, the names, Social Security numbers and grades of 3,500 former chemistry students were on class rosters housed on two laptop computers stolen from a professor's home in late February. Apr. 18, 2007........................ Univ. of CA, San A computer file server 3,000 Francisco (San containing names, Francisco, CA) (866) contact information, 485-8777 www.ucsf.edu/ and Social Security alert. numbers for study subjects and potential study subjects related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office. For some individuals, the files also included personal health information. Apr. 19, 2007........................ New Mexico State Univ. The names and Social 5,600 (Las Cruces, NM). Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005 were accidentally posted on the school's Web site when an automated program moved what was supposed to be a private file into a public section of the Web site. Apr. 20, 2007........................ Los Alamos National The names and Social 550 Laboratory Security numbers of (Alburquerque, NM). lab workers were posted on a Web site run by a subcontractor working on a security system. Apr. 20, 2007........................ U.S. Agriculture Dept. The Social Security 37,000 (Washington, DC). numbers of people who received loans or other financial assistance from two Agriculture Department programs were disclosed since 1996 in a publicly available database posted on the Internet. Apr. 21, 2007........................ Albertsons (Save Mart Credit and debit card 81 Supermarkets) numbers were stolen (Alameda, CA) (510) using bogus checkout- 337-8340. line card readers resulting in card numbers processed at those terminals being captured and some to be misused. Apr. 23, 2007........................ Fed. Emergency Social Security numbers 2,300 Management Agency of Disaster Assistance (FEMA) (Washington, Employees were printed DC). on the outside address labels of reappointment letters. Apr. 24, 2007........................ Purdue Univ. (West Personal information 175 Lafayette, IN) (866) including names and 307-8513. Social Security numbers of students who were enrolled in a freshman engineering honors course was on a computer server connected to the Internet that had been indexed by Internet search engines and consequently was available to individuals searching the Web. Apr. 24, 2007........................ Baltimore County Dept. A laptop containing 6,000 of Health (Baltimore, personal information MD). including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen. Apr. 25, 2007........................ Neiman Marcus Group Computer equipment in 160,000 (Dallas, TX) (800) 456- the possession of a 7019. pension consultant containing files with sensitive information including name, address, Social Security number, date of birth, period of employment and salary information of Neiman Marcus Group's current and former employees and their spouses was stolen. Apr. 26, 2007........................ Ceridian Corp. A former employee had 150 (Minneapolis, MN). data containing the personal information of employees including ``ID'' and bank- account data and then, accidentally posted it on a personal Web site. Apr. 27, 2007........................ Google Ads (Mountain Top sponsored Google Unknown. View, CA). ads linked to 20 popular search terms were found to install a malware program on users' computers to capture personal information and used to access online accounts for 100 different banks. Apr. 27, 2007........................ Caterpillar, Inc. A laptop computer Unknown. (Peoria, IL). containing personal data of employees including Social Security numbers, banking information and addresses was stolen from a benefits consultant that works with the company. Apr. 28, 2007........................ Couriers on Demand Personal information of ``Hundreds''. (Dallas, TX). job applicants was accidentally published to the Internet. Apr. 29, 2007........................ Univ. of New Mexico Employees' personal [3,000] (Not included (Alburquerque, NM). information including in Total below because names, e-mail and home SSNs were apparently addresses, UNM ID not compromised). numbers and net pay for a pay period for staff, faculty and a few graduate students may have been stored on a laptop computer stolen from the San Francisco office of an outside consultant working on UNM's human resource and payroll systems. May 1, 2007.......................... Healing Hands Medical records ``Hundreds''. Chiropractic containing the (Sterling, CO). personal information of chiropractic patients including records, Social Security numbers, birth dates, addresses and, in some cases, credit card information wee thrown in a dumpster ``due to lack of office space''. May 1, 2007.......................... J. P. Morgan (New York, Documents containing Unknown. NY). personal financial data of customers including names, addresses and Social Security numbers were found in garbage bags outside five branch offices in New York. May 1, 2007.......................... Maine State Lottery Documents containing Unknown. Commission (Hallowell, personal information ME). such as names, Social Security numbers, references to workers compensation claim records, psychiatric and other medical records, and police background checks were found in a dumpster. May 1, 2007.......................... Champaign Police The names and Social 139 Officers (Champaign, Security numbers of IL). Champaign police officers were left on a computer donated to charity. May 1, 2007.......................... J. P. Morgan (Chicago, A computer tape 47,000 IL). containing personal information of wealthy bank clients and some employees was delivered to a secure off-site facility for storage but was later reported missing. May 3, 2007.......................... Maryland Dept. of Personal information of 1,433 Natural Resources current and retired (Annapolis, MD). employees including names and Social Security numbers was downloaded to a ``thumb drive'' by an employee who wanted to work at home but was lost en route. May 3, 2007.......................... Louisiana State Univ., A laptop stolen from a 750 E.J. Ourso College of faculty member's home Business (Baton Rogue, contained personally LA). identifiable information including may have included students' Social Security numbers, full names and grades of University students. May 3, 2007.......................... Montgomery College..... A new employee posted Unknown. the personal information of all graduating seniors including names, addresses and Social Security numbers on a computer drive that is publicly accessible on all campus computers. May 5, 2007.......................... Transportation Security A computer hard drive 100,000 Administration. containing payroll data from January 2002 to August 2005 including employee names, Social Security numbers, birth dates, bank account and routing information of current and former workers including airport security officers and federal air marshals was stolen. UPDATE (5/14/07); The American Federation of Government Employees is suing the TSA for the loss of the hard drive. It calls the breach a violation of the Privacy Act. May 7, 2007.......................... Indiana Dept. of An employee uploaded a ``dozens'' to ``no more Administration list of certified than a couple (Indianapolis, IN). women and minority hundred''. business enterprises to the department's Web site and inadvertently included their tax identification numbers, which for some businesses and sole proprietorships is the owner's Social Security number. May 8, 2007.......................... TX Health and Human Computer tapes ``millions''. Services Commission containing employment (Austin, TX). information used to verify Medicaid claims including Social Security numbers and wages were missing for more than two weeks before being found. May 8, 2007.......................... Univ. of Missouri A hacker accessed a 22,396 (Columbia, MO) (866) computer database 241-5619. containing the names and Social Security numbers of employees of any campus within the University system in 2004 who were also current or former students of the Columbia campus. May 11, 2007......................... Univ. Calif. Irvine About 1,600 file boxes 287 Medical Center stored in an off-site (Irvine, CA). university warehouse were discovered missing. Some of the files included patients' names, addresses, Social Security numbers and medical record numbers. May 11, 2007......................... Highland Hospital Two laptop computers, 13,000 (Rochester, NY) one containing patient HighlandHospitalAdmin@ information including urmc.rochester.edu Social Security (866) 917-5034. numbers, were stolen from a business office. The computers were sold on eBay, and the one containing personal information was recovered. May 12, 2007......................... Goshen College (Goshen, A hacker accessed a 7,300 IN) [email protected] college computer that (866) 877-3055. contained the names, addresses, birth dates, Social Security numbers and phone numbers of students and information on some parents with the suspected motivation of using the system to send spam e-mails. May 12, 2007......................... Doctor and dentist A local TV news Unknown. (Leon Valley, TX). reporter exposed that a medical office disposed of patient records without shredding them. Included were SSNs and dates of birth, as well as medical information. May 14, 2007......................... Community College of A virus attacked a 197,000 Southern Nevada (North computer server and Las Vegas, NV). could have allowed a hacker to access students' personal information including names, Social Security numbers and dates of birth, but the school is not certain whether anything was actually stolen from the school's computer system. May 15, 2007......................... IBM (Armonk, NY)....... An unnamed IBM vendor Unknown. lost computer tapes containing information on IBM employees-- mostly ex-workers-- including SSNs, dates of birth, and addresses. They went missing in transit from a contractor's vehicle. May 17, 2007......................... Detroit Water and A laptop containing 3,000 (not included in Sewerage Department City employee Total below because it (Detroit, MI). information was stolen is not known if the from the vehicle of an data included SSNs). insurance company employee. May 17, 2007......................... Georgia Div. of Public The GA Dept. of Human 140,000 Health (statewide). Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories--but not names or addresses--were discarded without shredding. May 18, 2007......................... Alcatel-Lucent (Murray The telecom and Unknown. Hill, NJ). networking equipment maker notified employees that a computer disk containing personal information was lost in transit to Aon Corp., another vendor. It contained names, addresses, SSNs, birth dates, and salary information of current and former employees. ---------------------------------------------------------------------------------------------------------------- Total number of records containing sensitive personal information involved in security 154,329,881 breaches. ----------------------------------------------------------------------------------------------------------------