From: Dinny S. Taylor
Date: Thu, Nov 5, 2009 at 8:44 AM
Subject: Potential breach of personal information
To: [redacted]

Dear [redacted]:

We are writing to notify you about a potential breach of your personal information. A Williams College laptop computer containing the names and Social Security numbers of a number of individuals, including you, was stolen in early October. While we currently have no information that any personal information has been misused, we nonetheless want to notify you of this incident and explain certain measures that the College has taken in response. We also want to apologize to you for any concern or inconvenience that this situation may cause.

Comments:

1) How many people did this affect? The alum who sent this to me graduated in the last 5 years. Did any of our readers get a similar e-mail? Why did the College take so long to inform him?

2) There is a great Record article to be written on this theft. Make sure you cite EphBlog as your original source!

3) What was a college employee doing with social security information on his laptop, especially data for an alumnus? Rule number one in keeping this sort of data safe is to store it in a central location only. Does the College have a policy on this? It ought to. It is reasonable for college officials and even professor to have possession of all sorts of data (grades, financial aid, SAT scores, et cetera) when doing research, and to keep that data on a laptop. But there is no need to keep social security numbers with that data.

4) I doubt that the alum has anything to worry about. Almost all laptop thieves just want the laptop. They don’t care about, they almost never even look at, the data that is there.

UPDATE: More details in the e-mail sent to current students/faculty. 750 Ephs, mainly recent graduates, were effected. I wonder what these Ephs have in common that put them in this dataset . . .

Rest of letter below the break.

While we currently have no information that any personal information has been misused, the College is providing credit monitoring and identity theft services to potentially affected individuals at the College’s expense. Specifically, we have engaged Kroll Inc. to provide its ID TheftSmartTM service. This service includes a Current Credit Report, Continuous Credit Monitoring and Enhanced Identity Theft Consultation and Restoration. If you have not received it already, you soon will receive a letter explaining the ID TheftSmart service and providing the Membership Number you will need to access that service. ID TheftSmart is one of the most comprehensive programs available to help protect your name and credit against identity theft.

We encourage you to take the time to review the safeguards made available to you and to review your account statements and credit information regularly.

In addition to providing the credit monitoring and identity theft services described above, the College is taking additional steps to help safeguard personal information. In recent years, the College has increased its efforts to minimize the chance of such a breach. For example, we’ve moved away from using Social Security Numbers to identify people, have been training staff in data protection, and have been cleaning and encrypting laptops. We’ll now review further our policies and procedures and do everything we can to prevent a recurrence.

We apologize again for any inconvenience or concern this situation may cause. We remain committed to maintaining the privacy of personal information as a key priority and will continue to take the steps needed to protect it.

Sincerely,

Dinny Taylor
Chief Technology Officer

Facebooktwitter
Print  •  Email