Part of the Bay Area News Group

MDUSD responds to questions regarding theft of laptop containing confidential employee information

By Theresa Harrington
Sunday, December 23rd, 2012 at 12:35 am in Education, Mt. Diablo school district.

After word of the theft of a Mt. Diablo district laptop containing confidential information spread Friday, I received the following news release from General Counsel Greg Rolen. Although it was sent to me on Dec. 21, it appears that the news release may have been written days earlier, before letters were sent to the affected employees on Dec. 18.

“Concord – On December 1, 2012, a thief broke a window at the offices of Mt. Diablo Unified School District (‘district’) and stole a password-protected, unencrypted laptop. Law enforcement and district staff were immediately alerted by the office’s security system and have been investigating the incident. The stolen computer contained files that included names, dates of birth, addresses, and Social Security numbers for employees and former employees. No financial or bank account information was involved. The district has no reason to believe that the computer was stolen for the information on it or that the information on it has been improperly used in any way.

While the District has not received any reports of misuse, it will be sending letters to all individuals whose information was on the laptop by December 18, 2012. The letters will have instructions for enrolling in credit monitoring that is being paid for by the district. The district will also provide a dedicated call center for individuals who receive a letter to call.

The letters will be mailed to all individuals who worked at the District between 1998 and 2010. If you do not receive a letter by December 21, 2012, please visit our website where you will find instructions on how to find out if you are affected. We will use the United States Post Office change of address database to find current addresses.

‘We do not believe that any of the information was improperly used, however, as a precautionary measure, we are making this notification and offering eligible individuals one year of credit monitoring and assistance in identity theft protection,’ said Superintendent Dr. Steven Lawrence.

The district deeply regrets any inconvenience this incident may cause. To help prevent a similar incident from happening in the future, the district has implemented measures to minimize the use of employee Social Security numbers [and will install encryption on computers that contain sensitive information].”

After I attended a special board meeting at the district office Friday, Chief Financial Officer Bryan Richards told me that 15,927 letters had been sent to employees and former employees of the district. In addition, he told me that a second round of similar letters would be sent to 2,200 people who worked in the Berkeley school district between 2003-04, because their confidential information was also believed to have been on the laptop.

Richards confirmed that the laptop was stolen from his office and said it had been a “loaner” because his regular laptop was “in the shop.” Two bricks were found outside his office where a window was broken, he said.

The laptop had previously been used by an employee who had worked for the Berkeley district before coming to the Mt. Diablo district, he said. That employee no longer works for Mt. Diablo, he added.

Richards said the district didn’t notify employees sooner because it took a while to determine what was on the laptop, using a backup system. He also said it took a while to find the current addresses of the people whose information was on the laptop.

The social security information was left over from the time when districts used to put such data on payroll documents, Richards said. Now, he said, social security numbers are no longer used on pay check stubs.

Regarding the surveillance video, Richards said it was his understanding that it had been reviewed and that it was not possible to identify the suspect(s).

Board President Cheryl Hansen said she wasn’t sure how much it was costing the district to provide the identity theft service, but she thought it might be covered by district insurance. She said the board learned about the the theft during closed session Dec. 10, under “anticipated litigation,” since it’s possible that employees could hold the district liable if their identities are stolen.

Richards said the district has already begun implementing procedures that do not use social security numbers in documents. He has also begun exploring the possibility of using encryption, but no decision has been made about contracting for that service, he added.

The big outstanding question here is: Why did a “loaner” laptop that apparently wasn’t being used by any employee have all that confidential information on it? And how many other computers in the district may have this type of information on them and be loaned out to employees when their computers are in the shop?

Richards said his laptop, which was being repaired, did not contain this type of confidential information.

Trustee Brian Lawrence told me he wants to review the district’s security protocols and strengthen them, where they may be lacking. Clearly, computers should be wiped clean of confidential information when employees who are using them leave the district (or when the information is no longer being used).

Alicia Minyen has said the district needs to hire an internal auditor. I’m not sure if an internal auditor would have caught this, but it seems pretty likely that an internal auditor would not condone keeping this kind of data on “loaner” laptops.

What do you think the district should do to tighten up its protection of confidential employee information?

DEC. 28 UPDATE: I have just spoken to CFO Bryan Richards who clarified that the information was not on a “loaner” laptop after all. He said it was a laptop that had been reassigned to him by the Technology Information Systems Dept. and the data had been transferred from his previous computer, which was left-over from a previous CFO. He said he is not sure who brought the data to MDSUD from Berkeley.

In addition, Richards said he could not answer questions regarding how much it is costing to provide the free identity theft service. That question, along with any other legal or insurance questions, should be answered by Greg Rolen, he said. Unfortunately, however, Rolen has not yet responded to my phone message asking for more information.

DEC. 28 UPDATE: Here is a followup story that touches on questions about the theft being raised by MDUSD employees and retirees: http://bit.ly/10u3WLg

I will prepare a new blog post with additional information I received from Rolen and Richards.

[You can leave a response, or trackback from your own site.]

  • Theresa Harrington

    Pat, I asked Richards about this and he said he’d need to look at the individual information for the people involved to try to determine if they were affected. Would you or your friends be willing to talk to me “on the record” about this for a follow-up story I’m working on?
    If so, please call me at 945-4764.
    Thanks!

  • Theresa Harrington

    Here’s more of what Richards told me yesterday regarding why the data was on his laptop:

    “It was information that was part of reports that staff had pulled from the system.
    The backups are imaged by which job title person they belong to.
    For example, when an employee upgrades computers, or whatever, the technology dept backs up their files, so those files are added to the new machine.
    They were files that came from the CFO’s previous laptop – the original laptop that I inherited when I started in this dist. When it was upgraded to the laptop that I had…they backup the files and then move them back over, so the files would have been part of what was on the laptop at that time.”

  • Rich

    So, all the time that Bryan Richards had the previous CFO’s laptop, he never checked to see what files had been pulled off the file server and stored on the laptop? When Richards got the new laptop it sounds like he didn’t check to see what files were on his new laptop, probably becaue he didn’t know that the new laptop was “his” laptop. The new laptop was left on his desk, on a Friday evening, and then a early riser burglar came by with two bricks, broke a window about 6:00 a.m. on a Saturday morning and took just that one laptop. Plus, someone then was able to determine what files were on that computer that Richards did not know about when he had the new computer and the old computer.
    I get it.

  • Theresa Harrington

    I just spoke to the PIO in Berkeley, who said that district immediately sent letters to affected employees and former employees to alert them of the breach. They still haven’t received their letters from MDUSD.
    The PIO said the Berkeley district believes the data was accidentally transferred to a computer by a temporary BUSD employee who later went to MDUSD. He said he didn’t know the employee. When I asked him if it was Steve Pavlina, he said that name didn’t ring a bell.

  • Anon

    Richards needs to resign or be placed on administrative leave. This is a disaster and he is responsible for it. Finis

  • g

    Yes, Rich. And in the thousands of times that Richards must have scrolled through files or opened folders to get to the one he wanted, the descriptive words ‘Berkeley’ ‘SSN’ ‘Private’ ‘Personal’ ‘Personnel’ simply never caught his attention to get him to question why he had such files, or legal ramifications of having such files on an un-encrypted computer.

    Of course, he has only had four years with that data. These things take time.

  • Theresa Harrington

    Since I have been unable to reach Richards by phone today, I just tried emailing him and got this response:

    “I am out until Wednesday, January 2nd. I will respond to your message when I return.
    Bryan Richards
    CFO
    Mt. Diablo USD”

    I have also emailed Rolen, with a copy to the superintendent, but have not heard back.

  • Doctor J

    @th#107 I think you just got played. :-) I hope you put out public records requests before Christmas so the time is ticking.

  • Theresa Harrington

    I received a response from Rolen.

  • Theresa Harrington

    Please note that I have added a Dec. 28 update to this blog post with a link to my follow-up story. I will create a separate blog post with additional information I have received from Rolen and Richards.

  • Theresa Harrington

    Here is my new blog post, with additional information from Rolen and Richards: http://www.ibabuzz.com/onassignment/2012/12/28/mdusd-responds-to-more-questions-about-laptop-theft/