Title: Missing Woodbury Financial USB Contained Client Data - Office of the Attorney General of New Hampshire
Date: 06/01/10
Business Activities: Security - Technical Safeguards, Security - Physical Safeguards, Breach Response
Impact to Subscriber:

A USB drive containing sensitive information was reported missing; in response to the breach the organisation searched for the USB drive but it was not found. It was recommended that those affected should review account statements and credit reports and take part in a credit monitoring program to prevent identity theft provided by the organisation; the program included $1,000,000 of identity theft insurance and the organisation also reimbursed cost of any credit freeze customers elected to put on their credit file.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:   
  • Woodbury Financial Services, a broker dealer affiliated with The Hartford, notified the Attorney General of a data breach of client information.

Relevance to Business Activities:

  • security-technical and physical safeguards considerations:
    • Woodbury Financial Services Inc. is a broker dealer affiliated with The Hartford that uses independent registered representatives to sell their products;
    • in March 2010, an independent registered representative gave to Woodbury staff an unencrypted portable media device (also called a USB drive) containing client information including:
      • names;
      • addressees;
      • Social Security numbers;Risk
      • dates of birth; and
      • identification numbers of three New Hampshire residents.Risk
    • the device was reported missing in April 2010.

 

  • breach response considerations:
    • to respond to this incident:
      • The Hartford assembled its Security Event Response team ("SER") to contain, control and assess the situation;
      • a thorough search of the Woodbury facility was conducted:
        • but the device was not found.Risk
      • the SER had no reason to believe that this information was or will be misused;
      • the SER was able to recreate the information contained on the device and prepared a customer notification letter;
      • a letter was sent to the Attorney General that outlined the data breach and response efforts as well as a copy of the notification letter to be sent to affected customers;
      • the letter sent to customers:
        • outlined the circumstances of the breach;
        • stated Woodbury was taking the incident very seriously and was reviewing and updating its policies and procedures to prevent similar events from occurring in the future;
        • explained that while there was no evidence that the client's information had been, or would be, misused:
          • it was recommended that the client review account statements and any credit reports available, including those available through the credit monitoring program being offering by Woodbury:
            • Woodbury offered to pay for the enrollment in a credit watch program that monitors identity theft for a two-year period;
            • the plan included:
              • comprehensive credit file monitoring;
              • unlimited free credit reports; and
              • $1,000,000 in identity theft insurance.
          • Woodbury also would reimburse the cost of any credit freeze a customer elected to put on their credit file.
      • Woodbury conducted a thorough investigation of its procedures and implemented additional seturity measures in handling customer data.


Source Document:

http://doj.nh.gov/consumer/pdf/woodbury.pdf

Privacy Statement · Legal notice