After word of the theft of a Mt. Diablo district laptop containing confidential information spread Friday, I received the following news release from General Counsel Greg Rolen. Although it was sent to me on Dec. 21, it appears that the news release may have been written days earlier, before letters were sent to the affected employees on Dec. 18.
“Concord – On December 1, 2012, a thief broke a window at the offices of Mt. Diablo Unified School District (‘district’) and stole a password-protected, unencrypted laptop. Law enforcement and district staff were immediately alerted by the office’s security system and have been investigating the incident. The stolen computer contained files that included names, dates of birth, addresses, and Social Security numbers for employees and former employees. No financial or bank account information was involved. The district has no reason to believe that the computer was stolen for the information on it or that the information on it has been improperly used in any way.
While the District has not received any reports of misuse, it will be sending letters to all individuals whose information was on the laptop by December 18, 2012. The letters will have instructions for enrolling in credit monitoring that is being paid for by the district. The district will also provide a dedicated call center for individuals who receive a letter to call.
The letters will be mailed to all individuals who worked at the District between 1998 and 2010. If you do not receive a letter by December 21, 2012, please visit our website where you will find instructions on how to find out if you are affected. We will use the United States Post Office change of address database to find current addresses.
‘We do not believe that any of the information was improperly used, however, as a precautionary measure, we are making this notification and offering eligible individuals one year of credit monitoring and assistance in identity theft protection,’ said Superintendent Dr. Steven Lawrence.
The district deeply regrets any inconvenience this incident may cause. To help prevent a similar incident from happening in the future, the district has implemented measures to minimize the use of employee Social Security numbers [and will install encryption on computers that contain sensitive information].”
After I attended a special board meeting at the district office Friday, Chief Financial Officer Bryan Richards told me that 15,927 letters had been sent to employees and former employees of the district. In addition, he told me that a second round of similar letters would be sent to 2,200 people who worked in the Berkeley school district between 2003-04, because their confidential information was also believed to have been on the laptop.
Richards confirmed that the laptop was stolen from his office and said it had been a “loaner” because his regular laptop was “in the shop.” Two bricks were found outside his office where a window was broken, he said.
The laptop had previously been used by an employee who had worked for the Berkeley district before coming to the Mt. Diablo district, he said. That employee no longer works for Mt. Diablo, he added.
Richards said the district didn’t notify employees sooner because it took a while to determine what was on the laptop, using a backup system. He also said it took a while to find the current addresses of the people whose information was on the laptop.
The social security information was left over from the time when districts used to put such data on payroll documents, Richards said. Now, he said, social security numbers are no longer used on pay check stubs.
Regarding the surveillance video, Richards said it was his understanding that it had been reviewed and that it was not possible to identify the suspect(s).
Board President Cheryl Hansen said she wasn’t sure how much it was costing the district to provide the identity theft service, but she thought it might be covered by district insurance. She said the board learned about the the theft during closed session Dec. 10, under “anticipated litigation,” since it’s possible that employees could hold the district liable if their identities are stolen.
Richards said the district has already begun implementing procedures that do not use social security numbers in documents. He has also begun exploring the possibility of using encryption, but no decision has been made about contracting for that service, he added.
The big outstanding question here is: Why did a “loaner” laptop that apparently wasn’t being used by any employee have all that confidential information on it? And how many other computers in the district may have this type of information on them and be loaned out to employees when their computers are in the shop?
Richards said his laptop, which was being repaired, did not contain this type of confidential information.
Trustee Brian Lawrence told me he wants to review the district’s security protocols and strengthen them, where they may be lacking. Clearly, computers should be wiped clean of confidential information when employees who are using them leave the district (or when the information is no longer being used).
Alicia Minyen has said the district needs to hire an internal auditor. I’m not sure if an internal auditor would have caught this, but it seems pretty likely that an internal auditor would not condone keeping this kind of data on “loaner” laptops.
What do you think the district should do to tighten up its protection of confidential employee information?
DEC. 28 UPDATE: I have just spoken to CFO Bryan Richards who clarified that the information was not on a “loaner” laptop after all. He said it was a laptop that had been reassigned to him by the Technology Information Systems Dept. and the data had been transferred from his previous computer, which was left-over from a previous CFO. He said he is not sure who brought the data to MDSUD from Berkeley.
In addition, Richards said he could not answer questions regarding how much it is costing to provide the free identity theft service. That question, along with any other legal or insurance questions, should be answered by Greg Rolen, he said. Unfortunately, however, Rolen has not yet responded to my phone message asking for more information.
DEC. 28 UPDATE: Here is a followup story that touches on questions about the theft being raised by MDUSD employees and retirees: http://bit.ly/10u3WLg
I will prepare a new blog post with additional information I received from Rolen and Richards.