So an employee engaged in naughty (illegal) conduct with respect to some of the customers’ accounts, and now you have to notify all customers whose data he may have accessed in the normal course of his duties? That’s what happened to Golden 1 Credit Union. From their notification template:
We are writing to inform you of a recent incident that may affect the security of your personal information. Although we are not aware of any misuse of your information, we are providing this notice to ensure that you are aware of the incident so that you may take steps to protect your information should you feel it is appropriate to do so.
We have discovered that a person employed by us from early April to mid-June of this year appears to have engaged in unauthorized activity involving a small number of member accounts. The personal information available for viewing by this person included full name, social security number, driver’s license number and other financial information. Our records indicate that this person viewed your account, most likely as part of their job duties.
We take the security of your personal information very seriously. Please be assured that we terminated this person and continue to work with law enforcement and appropriate government agencies. At this time, we are not aware of any fraudulent or improper use of your personal information, nor are we aware of any subsequent disclosure of your data, but to be cautious, we are providing this notice to you. Please be assured that we have taken every step necessary to address the incident to date, and that we will continue to investigate and take any additional steps that may be required to ensure your personal information is protected.
Securing your personal information is important to us. As a precautionary measure to safeguard your information from potential misuse, we have partnered with Equifax to provide its Credit WatchTM Gold with 3-in-1 Monitoring identity theft protection product for one year at no charge to you.
[…]