The University of Delaware announced that confidential employee data was compromised, reports the News Journal. And the breach is a sizeable one-the University estimates that the names, addresses, and social security numbers for more than 72,000 current and former employees may have been stolen. As reported by the News Journal, the university “is working to notify everyone who had their information compromised” and the school will pay for credit-monitoring services.
An employee in the IT Department apparently discovered a possible breach on July 22. At that time, though, the university was not sure about whether a breach had occurred and, if so, the scope of the problem. But a forensic investigation confirmed that the data had been compromised.
Like many other states, Delaware has a computer-breach law that governs how an entity must respond when it suspects that a breach of personal information has occurred. “Personal information” includes, among other things, social security numbers, so the breach at UD triggers the law’s requirements. The university seems to have complied with these requirements by promptly conducting an investigation and then, when the investigation indicated that a breach had occurred, notifying the victims of the breach.
Delaware employers must be aware of their duties when they discover that employee data may have been breached. Importantly, a breach need not occur in the form of a computer hack like what appears to have happened at the University of Delaware. It also can come in the form of an employee who sends herself a copy of payroll data just before she resigns. If the payroll data contains bank-account numbers and/or social-security numbers, and it’s in the possession of a former employee, you have a duty to take immediate action under Delaware law.