As more people are finding out about the theft of a laptop computer containing confidential employee information, which belonged to Mt. Diablo school district Chief Financial Officer Bryan Richards, new questions are arising.
I sent an email with the following questions to General Counsel Greg Rolen. His emailed responses are below the questions.
1. How much is it costing the district to provide the free identity theft protection to affected employees and retirees for one year?
2. Is the district’s insurance covering all or a portion of the cost?
3. If so, what is the deductible amount?
4. If so, what is the expiration date of the insurance?
5. Please send me a copy of the letter that was sent to Berkeley school district employees or former employees regarding this incident.
“1. 2. The District’s initial response to the incident included, but was not limited to address list management through the National Change Of Address and Deceased Suppression databases; printing inserting and mailing the notifications, post breach return mail management services and call center services. We have an estimated cost of $29,640. The credit monitoring and identity theft insurance is based on enrollment. Consequently, we are uncertain as to the final costs. However, we will be bringing these matters to the Board.
2. 3. The District has cyber liability insurance through Lloyds of London. This is part of the CSAC Excess Insurance maintained by the District. The Insurance policy provides for $10 million aggregate limit of liability and a $100,000 Self Insured Retention.
4. The Policy Period is March 31, 2012 to January 1, 2013. The Date of Loss falls within the policy period. Therefore we have full coverage. The District has the option to renew the cyber liability policy yearly.
5. See attached”
Here is what the attached letter said:
“To the Estate of Sample A Sample:
The confidentiality of personal inforation we maintain is crtically important to Mt. Diablo Unified School District (“District”) and we take great efforts to protect it. Regrettably, we are writing to let you know about an incident involving some of that information.
One of our offices was burglarized on Saturday, December 1, 2012, and a password-protected, unencrypted computer was stolen after thieves broke a Window, Law enforcement and District staff were immediately alerted because the was protected by a security camera, motion detector, and an alarm. During the investigation conducted by the District, We discovered that the computer contained a payroll file with information concerning employees of Berkeley Unified School District, including certain employees’ name and Social Security number. We believe a former Berkeley Unified School District employee who then came to Work for the District and has since left inadvertently transferred the file to the District’s computer.
The District is working diligently with law enforcement. We have no reason to believe that the computer was stolen for the information on it or that the information on it has been improperly used in any way.
To prevent something like this from happening in the future, the district has implemented several measures to minimize the use of employee social security numbers in district reports and forms, other than when legally required. We apologize for the concern and inconvenience this situation may cause you. If you have any questions, please call 888-414-8019, Monday through Friday, 8:00 a.m. to 5:00 p.m. Pacific Time. When prompted, please enter the following 10 digit reference code: 6373121312.
Steven Lawrence, Ph.D.
When I noticed that the Berkeley letter does not include information about signing up for a free year of identity theft protection, I emailed Rolen to ask if the district was providing that service to Berkeley employees.
Here is his emailed response:
“Yes, and those individuals have been so informed.”
I asked how they were informed and asked for a copy of that communication, but have received no response.
I also emailed Bryan Richards to ask about a retiree who left the district before 1998, but received a letter (even though the letter stated that affected Mt. Diablo employees worked for the district between 1998 and 2010).
Here is his emailed response:
“Theresa, I am out of the office and cannot look up the specific person you mention. However, if the retirees are still in the district’s medical plan, or if they have come back as substitutes since retiring, they may have been included for those reasons.
If anyone got the letter, it is because we identified their name or ssn as potentially exposed. We do not know with 100% certainty that all or any of them were actually on the machine that was taken, but we are acting in the most conservative manner that any that may have been on the drive based on what we have identified are noticed.
Richards had previously told me the information was was included in reports in archived files that had been “pulled by staff” and was transferred onto his laptop from a computer that belonged to his predecessor.
He said the district is reviewing its protocols to see if some files should be purged to protect against this type of incident happening in the future.
Board President Cheryl Hansen and Trustee Brian Lawrence have both said they intend to ask staff for a full report regarding the theft and district security protocols to determine what can be done to strengthen them.
What do you think the district should do to ensure that such a security breach does not happen again?