Data Breach Notice to Employees and Dependents
Compromise of Password-Protected Computer Lost in Burglary
Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.
The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire’s law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?
My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.
The facts: A burglary in a Missouri building harvested several laptop computers from the offices of multiple companies. One of those laptops, belonging to AB, contained personal information (names, addresses, social security numbers and so on) about certain AB employees and their dependents.
More than 40 states have some form of data breach notification law. The laws are not uniform, which means their details vary. Some states require notice in one way; others require it a different way.
Many of these laws are structured to protect state residents. Therefore, in order to know which law applies to a particular data subject (i.e., a particular employee or dependant), a data holder like AB must know the subject’s state of legal residence. To know a person’s legal residence is not easy because often the data about a person in a database is insufficient to determine for sure the person’s state of legal residence. A resident of Wyoming, for example, can have a postal address in Connecticut.
Hence, it might be particularly difficult and expensive for AB to determine with absolute precision which person should receive notice and under which state law. As a good faith compromise, AB decided (this is my interpretation) it would go overboard with notice in New Hampshire. Although NH law does not require notice if data were encrypted, many of the affected employees worked in NH. So (again, my interpretation) AB gave notice in NH, which included sending notice to the state attorney general, who would afford the notice special attention by publishing it on the web.
Computerworld inquired whether AB gave notice in other states. The company acknowledged that affected data pertained to residents of other states, but declined to say anything more about the other states. My reading is that AB did not necessarily track down every last dependent, and determine that dependent’s state of residence, so the company could provide that person notice in strict accordance with the law of that person’s state of residence.
Mr. Wright is an advisor to Messaging Architects, developer of software for filtering sensitive data (such as SSNs) out of e-mail.