Title: Notice of Unauthorized Disclosure of Personal Information - Huron Consulting Group - Office of the Attorney General of New Hampshire
Date: 08/01/08
Business Activities: Breach Response, Security - Physical Safeguards, Security - Technical Safeguards
Impact to Subscriber: An example of a data privacy violation due to an employee, with authorized access, downloading sensitive financial information of other employees.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:
  • Huron Consulting Group ("HCG") notifies the Attorney of General of New Hampshire ("AG") of a data privacy violation in accordance with N.H. Rev. Stat. Ann. § 359-C:19 et seq.

Relevance to Business Activities:

  • security - technical and physical safeguards considerations:
    • on July 1, 2008, HCG discovered that an employee may have:
      • stolen paychecks; and
      • fraudulently endorsed and cashed/deposited them.
    • the employee had an associate return the company laptop computer to HCG on July 8, 2008;
    • forensic review of the laptop revealed that the employee, who had authorized access to personal financial information of HCG current and former employees, had:
      • downloaded a full set of employee W-2 forms in a text file on to her laptop.

 

  • breach response considerations:
    • in the letter dated July 15, 2008 to the AG, HCG advised as follows:
      • the details of the breach including that:
        • it has terminated the employee, but:
          • has not been able to locate the employee.
      • the potential unauthorized use of information involves HCG employee information including that of:
        • 9 New Hampshire residents.
      • HCG has no information of any use (malicious or otherwise) of this information by the employee;
      • employees will be notified:
        • as expeditiously as possible by:
          • email; and
          • letter to their last known address.
        • that personal information may not have been fully secured so that:
          • they can stake steps to protect their personal information and credit.
      • the matter has been reported to local law enforcement and the FBI.
    • the attached sample notification letter to employees informs them:
      • of the data privacy violation;
      • that the likelihood of misuse is low;
      • that affected employees will be offered:
        • one free year of daily credit monitoring;
        • one free 3-bureau credit report and score;
        • toll free access to a dedicated team of fraud resolution representatives if fraudulent activity is detected;
        • $25,000 in identity theft insurance, excluding:
          • residents of New York, due to New York state law restrictions.


Source Document:

http://doj.nh.gov/consumer/pdf/huron.pdf

Privacy Statement · Legal notice