Skip to main content

Privacy Monday

Breaches, lawsuits and legislation this Monday, July 15

 

Programming Error Leads to “Low Tech” Data Breach at Indiana Family and Social Services Administration

Although it started with a programming error, the breach itself was paper document.  Apparently, a programming error led to the accidental disclosure of personal information of Indiana residents to other clients of the Indiana Family and Social Services Administration.

The error caused an undetermined number of paper documents being sent to clients to be duplicated and included with documents sent to other clients, so some people may have received others' information along with their own, according to the agency, which handles programs including Medicaid and food assistance for the state.

According to the agency, the problem may have occurred back in April when a contractor, RCR Technology Corp., made a programming error to a document management system.

The state agency has notified the 187,553 people who may have been affected. As of July 12, the agency said, it estimated the number to be “very small.”    If you are one of the nearly 4,000 people who had this information sent to the wrong person, that determination is relative.

FSSA and RCR have, at the direction of Gov. Mike Pence (R), “expedited work to determine the specific clients involved,” the agency said in a July 12 statement. RCR has retained reporting software company I-net Software to determine the exact number and identities of clients affected by the breach within the next few weeks, FSSA said.

Of the 187,553 clients affected, 3,926 may have had their Social Security numbers disclosed. Other information that may have been inadvertently sent to others included name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, financial information, and medical information.

For more information:  eSecurity Planet

Indiana Family and Social Services Administration Release

 

Have You Checked in on Your Shredding Vendors Lately?

Two of the biggest document-shredding companies in the country have agreed to pay a total of $1.1 million to settle a lawsuit alleging the companies defrauded the U.S. government by failing to shred sensitive documents as required by contract.

Iron Mountain Corp., has agreed to pay $800,000 and Shred-It USA, a second company named in the lawsuit, has agreed to pay $300,000. A third defendant, Cintas Corp., continues to contest allegations that it failed to properly shred sensitive documents. The lawsuit was a whistleblower case filed in federal district court in Philadelphia in 2010 by a family-operated shredding business.  "This case presents a real-life David versus Goliath,” said attorney Michael A. Morse, who represented the plaintiff. “Mr. Knisely, the owner of a small, family shredding business in central Pennsylvania refused to cut corners in order to obtain government contracts. He had the courage to blow the whistle on the three largest shredding companies in the nation," Morse said.

Read more, including details of the complaint:  Wall Street Journal

 

Military Consumer Protection Day

This Wednesday July 17, 2013 marks Military Consumer Protection Day!  Our military men and women can face unique consumer protection challenges for a host of reasons, including the fact that they are often relocating and don’t know what businesses they can trust.  There are a number of  scams specifically targeting military members –for example some fraudsters are trying to poach veterans’ pensions.  The Military Consumer Protection site offers lots of information for military members and businesses, be sure to check it out!

 

Privacy legislation in Massachusetts

There are several pieces of legislation on the table in Massachusetts:

The Electronic Privacy Act (S 796; H 1684) would require law enforcement to obtain a warrant to access personal electronic information--such as details of telephone use, contacts, location, and e-mail and other communication--from telecommunications companies, and would bring accepted long-standing Massachusetts law and practices governing search warrants into the digital age.

The Drone Privacy Act (Sen. Hedlund and Rep. Garry: S.1664; H.1357) aims to regulate the use of aerial surveillance vehicles to ensure that this emerging technology is used responsibly in Massachusetts—without weapons and not for warrantless surveillance of residents.

The Free Speech Act (Sen. Chandler and Rep. Lewis: S.642; H.1457) would prohibit law enforcement from collecting information about individuals' political and religious views, associations or activities, unless it relates directly to a criminal investigation based on reasonable suspicion of criminal conduct.

 

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.