• Bristol Myers Squib ("Bristol Myers") suffered a data breach that affected the personal information of 6,500 current and former Bristol Myers employees who live in Connecticut.

• security - physical and technical safeguards considerations in the context of vendor management:
• on June 3, backup tapes were stolen from a contractor van in Brazil on its way to a storage facility;
• the tape was unencrypted, but had numerous, sophisticated security features that would make it difficult to access;
• the information on the backup tapes included:
• Social Security numbers;
• names;
• addresses;
• phone numbers;
• birthday;
• marital status;
• race;
• citizenship; and
• veteran status.

• breach response considerations:
• Bristol Myers in July provided affected employees with 1 year of:
• free credit monitoring; and
• $25,000 insurance against identity theft.
• the Connecticut Attorney General ("AG") learned of the data breach in late August:
• the AG requested Bristol Myers increase the protections to 2 years; and
• Bristol Myers agreed.
• Bristol Myers also agreed to AG's demand for:
• additional identity theft protections for the affected Connecticut residents, i.e.:
• reimbursement for credit freezes; and
• guaranteed coverage of losses up to $1 million:
• replacing its previous offer of $25,000 identity theft insurance.
• Bristol Myers will notify Connecticut residents by letter of the:
• latest safeguards; and
• details on how to seek reimbursement.

Source Document:

http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=424754