DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breach notifications: what really happened vs. what they tell us

Posted on September 24, 2013 by Dissent

I’ve often pointed out how breach notification letters to those affected  may omit details that consumers might want to know but breached entities probably prefer we not know.

I came across another example today. Let’s start with what happened, as described by attorneys for Vector Security to the Maryland Attorney General’s Office. Vector Security provides home and business security systems:

1. In December 2012, Vector relocated its office. In the process, they apparently left behind a laptop containing PII.

2. A contractor subsequently renovating the property found the laptop, and when he couldn’t get it to work, took it to a friend for assistance. The friend was able to gain some access to the contents – enough to realize that the laptop was Vector’s property. The laptop was returned to them the next day, on June 14, 2013. So the laptop had been out of Vector’s control for over 5 months.

3. When Vector recovered the laptop, they promptly started an investigation and hired Kroll to help restore functionality to the laptop and analyze the contents. On September 6, they learned from AllClear ID that the PII included an unreported number of individuals’ Social Security numbers.  Notification letters were sent on or about September 13, offering those affected one year of free subscription to AllClear.

Compare the above to what they told those affected:

Vector relocated our operations from an office located in Pittsburgh, Pennsylvania to an office located in Warrendale, Pennsylvania. We learned that a password protected laptop previously used by one of our executives was inadvertently left at our Pittsburgh office during our relocation. The laptop was returned to us and we immediately commenced an investigation into the contents of the laptop.

There’s no full disclosure to the customers that the laptop with their PII was out of their control for over 5 months and that they never realized it was gone until it was returned to them.

There’s no full disclosure to the customers that non-Vector personnel or contractors ever accessed the drive.

There’s no full disclosure that the laptop was returned to them three months before they started sending notification letters.

For all the consumer knows, the laptop might only have been left behind for a week and was quickly recovered in August or at the beginning of September.

Now maybe some customers wouldn’t care about all that, and the important thing to consumers may be that they are being reassured about the low risk of misuse and are offered free services.

And maybe some business reputation management firms would say that such omissions are great because the “whole story” might tarnish a firm’s reputation or result in customer unease or churn.

But as a transparency proponent, I find myself wishing that breached entities really had to disclose the details of breach, no matter how embarrassing it might be to their reputation. Maybe if they did, they’d take greater care.

You can read the Vector Security filing with Maryland  here (pdf) and form your opinion.

No related posts.

Category: Business SectorCommentaries and AnalysesLost or MissingU.S.

Post navigation

← 21st Century Oncology employee stole patient information for tax refund fraud scheme – feds
UK: Royal Free Hospital in clear after losing medical records of 78 pregnant women →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.