DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breach notifications: what really happened vs. what they tell us

Posted on September 24, 2013 by Dissent

I’ve often pointed out how breach notification letters to those affected  may omit details that consumers might want to know but breached entities probably prefer we not know.

I came across another example today. Let’s start with what happened, as described by attorneys for Vector Security to the Maryland Attorney General’s Office. Vector Security provides home and business security systems:

1. In December 2012, Vector relocated its office. In the process, they apparently left behind a laptop containing PII.

2. A contractor subsequently renovating the property found the laptop, and when he couldn’t get it to work, took it to a friend for assistance. The friend was able to gain some access to the contents – enough to realize that the laptop was Vector’s property. The laptop was returned to them the next day, on June 14, 2013. So the laptop had been out of Vector’s control for over 5 months.

3. When Vector recovered the laptop, they promptly started an investigation and hired Kroll to help restore functionality to the laptop and analyze the contents. On September 6, they learned from AllClear ID that the PII included an unreported number of individuals’ Social Security numbers.  Notification letters were sent on or about September 13, offering those affected one year of free subscription to AllClear.

Compare the above to what they told those affected:

Vector relocated our operations from an office located in Pittsburgh, Pennsylvania to an office located in Warrendale, Pennsylvania. We learned that a password protected laptop previously used by one of our executives was inadvertently left at our Pittsburgh office during our relocation. The laptop was returned to us and we immediately commenced an investigation into the contents of the laptop.

There’s no full disclosure to the customers that the laptop with their PII was out of their control for over 5 months and that they never realized it was gone until it was returned to them.

There’s no full disclosure to the customers that non-Vector personnel or contractors ever accessed the drive.

There’s no full disclosure that the laptop was returned to them three months before they started sending notification letters.

For all the consumer knows, the laptop might only have been left behind for a week and was quickly recovered in August or at the beginning of September.

Now maybe some customers wouldn’t care about all that, and the important thing to consumers may be that they are being reassured about the low risk of misuse and are offered free services.

And maybe some business reputation management firms would say that such omissions are great because the “whole story” might tarnish a firm’s reputation or result in customer unease or churn.

But as a transparency proponent, I find myself wishing that breached entities really had to disclose the details of breach, no matter how embarrassing it might be to their reputation. Maybe if they did, they’d take greater care.

You can read the Vector Security filing with Maryland  here (pdf) and form your opinion.

Category: Business SectorCommentaries and AnalysesLost or MissingU.S.

Post navigation

← 21st Century Oncology employee stole patient information for tax refund fraud scheme – feds
UK: Royal Free Hospital in clear after losing medical records of 78 pregnant women →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.