Benefits consultant loses backup tape containing employee personal information

|

Date Reported:
8/4/10

Organization:
Marsh & McLennan Companies

Contractor/Consultant/Branch:
Seabury & Smith, Inc.
Mercer
Marsh
Undisclosed third-party courier

Location:
Undisclosed

Victims:
Employees and employee dependents of client companies

Number Affected:
Undisclosed

Types of Data:
"personal information, such as name and Social Security Number"

Breach Description:
Mercer Health & Benefits LLC and its affiliates (Mercer) has updated the New Hampshire Attorney General about a breach that occurred in April, 2010.  The breach was the result of a lost (or stolen) backup tape.

Reference URL:
New Hampshire Attorney General breach notification (updated)
New Hampshire Attorney General breach notification (original)

Report Credit:
New Hampshire Attorney General

Response:
From the online sources cited above:

Letter to Attorney General:

Marsh and Mercer wrote to you in June to advise of a potential information security incident involving data maintained by Marsh's Association business, which operates through Seabury & Smith, Inc., and Mercer Health & Benefits LLC.
[Evan] The June letter is referenced above.  I'm not a big fan of the word "potential" when referencing a security breach.  This was a real information security incident, not a potential information security incident.

This letter is intended to serve as an update to that notice and to provide you with information on the total number of potentially affected individuals in New Hampshire.

Based on additional investigation to date, this incident may involve certain personal information of a total of 131 individuals in New Hampshire in their capacity as recipients of employee benefits.
[Evan] We have no clue as to how many people may be affected by this nationwide.

As noted in our previous letter, a server back-up tape being sent from on Marsh and Mercer office to another by a third-party courier was lost during shipment.
[Evan] We are probably safe to assume that the data on the backup tape was not encrypted.  Sending unencrypted backup tapes off-site is not a good information security practice.  As I was doing more reading about breach notification laws (again), I noticed something that I missed previously.  I am no lawyer, so I don't want to imply that I am giving any kind of legal advice.  I encourage you to read the New Hampshire statute "Notice of Security Breach", Section 359-C:19 Definitions, look at IV. (a) ""Personal information":
IV. (a) ""Personal information'' means an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
          (1) Social security number.
          (2) Driver's license number or other government identification number.
          (3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

I have read other legal resources which state there is no exemption for encryption in the New Hampshire breach notification statute, but as I read it, it appears that there could be.  I'd love to hear your take.

This tape may have contained personal information, such as name and Social Security Number.
[Evan] Either the tape did or it did not contain personal information.  The company retained by Mercer to assist in this breach is Kroll (at the time of the breach, Kroll was also owned by Marsh & McLennan).  Kroll employs some very good (top notch) forensic investigators, and I am pretty sure that they would be able to determine what data was on the tape with some certainty.

Because of the complex nature of the security of and information on the tape, and the technical measures which are necessary to determine and analyze the data elements contained on the tape, we believe that the risk of identity theft resulting from this incident is extremely low.
[Evan] Wouldn't it be interesting to know what the "complex nature of the security" is?  Or maybe how technical the "technical measures which are necessary" to access the data are?  Without strong encryption and sound key management, I remain unconvinced.  For all we know, the technical measures are nothing more than a computer, tape drive, backup software, and some cables.  Not exactly what I would call "complex nature of the security".

Regardless, we are committed to the security of personal information and have taken immediate steps to fortify the protective measures surrounding those already in place in order to prevent a similar incident from occurring in the future.
[Evan]  Have you decided to encrypt the data going forward?!

Marsh and Mercer take privacy and information security seriously.

In order to ensure that potentially affected individuals are able to protect themselves from possible identity theft or other damage, Marsh and Mercer, on behalf of themselves and any potentially affected clients,  alerted individuals about the situation by sending out individual notices.

As related to you before, Marsh and Mercer have retained Kroll Inc. to provide toll-free access to Kroll's Consumer Solutions Center, along with credit monitoring, identity restoration and related services at no cost to the potentially affected individuals.

Letter to victims:

Mercer Health & Benefits LLC and its affiliates (Mercer) provide consulting, insurance broking and related administration services regarding employee benefits plans maintained by Mercer's employer clients.

In this capacity, it was necessary for Mercer to collect certain personal information regarding its clients' employees and their dependents.
[Evan] I am guessing that most of the victims had no idea that Mercer had collected and retained their personal information.  The victims are the owners of the information and should have been informed of who their employer shares their information with.

In April, 2010, we confirmed that an information security incident occurred involving data held by Mercer.

The incident involved a server back-up tape that was lost in transit during shipment from a Mercer office to another site.

Working with the third-party courier, a thorough search for this lost tape has been conducted.
[Evan] Who was/is the third-party courier?

Unfortunately, the location of the tape remains unknown at this time.

While we have no reason to believe that the tape or the information it contained has been inappropriately accessed or misused in any way, we do believe the back-up tape may have included your personal information such as your name, address and Social Security number.
[Evan] Again, "may have".  Either it did, or it did not.  If the organization is unable to determine for sure, then they have more serious issues to deal with.

Even though the risk of identity theft resulting from this incident is extremely low, the security of your personal information is paramount.
[Evan] In order to assign a risk level, we need to understand what risk is.  I am going to grossly oversimplify things here, more for readers who may not know.  In this case, risk is essentially the likelihood of something bad (event) happening combined with the impact to the affected party(ies).  Here we know that the likelihood of something bad happening has been increased to some extent, and the impact is/was already moderate to high.  Let's use numbers, like a scale of 1 -5.  1 is good (or low) and 5 is bad (or high).  Before the incident, let's say that the likelihood was 1-2 and the impact was 4-5.  The risk assigned before the incident was maybe a 2.  Post incident the likelihood may be raised to 2-3 and the impact remains essentially the same; 4-5.  The risk assigned after the incident could then be 2-3.  The risk was not "extremely low" before the incident and certainly is not afterward either.  Hopefully you get what I'm trying to say here ;)

For that reason, Mercer has engaged Kroll Inc… at no cost for one year.

We reiterate our deep commitment to protecting the privacy and security of your personal data and have taken immediate steps to fortify the protective measures that were already in place in order to prevent a similar incident occurring in the future.

Commentary:
I made more than my share of comments above.  If you have some, we would love to hear them.

Past Breaches:
Unknown

Posted by Evan Francen at 8/18/2010 9:07 AM
Categories: Lost Media, Seabury and Smith, Marsh and McLennan Companies, March, Mercer
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment