A Maryland accounting firm had to notify 2,906 Maryland residents after an unencrypted backup drive was stolen from an employee’s car at his home.
The theft occurred on August 4, but Clark & Anderson, P.A. didn’t learn of it until August 8. In a letter dated August 30 to the Maryland Attorney General’s Office, they indicated that they were starting to notify affected individuals.
Of course, they didn’t tell those affected that the backup drive with their information had been left in a car at the employee’s home. They only told them it was stolen from the “possession of a staff member” in a “criminal act against a staff member.” While I realize that firms like to see themselves as the victims of breaches, I see it as a staff member irresponsibly left a lot of sensitive information in his car and it was stolen, victimizing the clients.
Clark & Anderson reassured those notified that much of the data is in a sophisticated software package that would not be readily readable. They stated they had no indication that the data has been accessed or misused.
The total number of individuals affected by the theft was not reported. The personal information on the backup drive included name, address, telephone number, date of birth, Social Security number, bank account information and brokerage account information. They also mentioned that “tax return information” which could include information on any dependents was on the backup drive.
So with all that info stolen, what do you think Clark & Anderson should offer in the way of credit protection and identity theft restoration? One year? Two? More?
They offered nothing in the way of free services.
See update to this incident here.