Social security numbers, gender, and dates of birth of approximately 22,000 State of Delaware retirees was accidentally posted online. According to the AP as reported in the Newark Post, Aon Consulting accidentally posted the information to the procurement section of the State’s website as part of an RFP for the State to solicit bids from insurance companies to provide vision benefits to current employees and retirees. The data remained online for five days before being removed. The employees’ names were not posted.
In response to the data breach, Aon is reportedly taking the following actions:
- Contact each affected individual by letter to inform them of the incident and the steps taken to address it;
- Post public notices in states where there are more than 500 affected individuals;
- Provide 1 year of free credit monitoring;
- Establish a toll-free phone line to respond to questions; and
- Notify U.S. DHSS.
This is an example of a data breach that did not involve any fault on the part of the employer (State of Delaware), thus demonstrating that, even when the employer takes all precautions, its employees’ personal data may still be breached.
More than a year ago, I posted about what an employer should do in the event that employees’ confidential information is stolen or otherwise compromised. (See What to Do If Your Employees’ Confidential Data is Stolen). In Delaware, and many other states, there is a law that addresses what obligations employers and other entities have. (See 6 Del. C. Chp. 22, Credit and Identity Theft Protection). The FTC’s Identity Theft Site, including its Guide for Businesses, Protecting Personal Information (PDF), are two other helpful resources.
The best plan is one that you make in advance. There’s no better time to review your internal response procedures now so you are prepared should your employees’ confidential or personal information be publicized accidentally.