A lengthy delay between when the Connecticut State Teachers' Retirement Board realized it had a security breach and when it told nearly 60,000 members about it has caused the state's attorney general to take action.
Attorney General Richard Blumenthal, upset over an eight-month delay after the board learned a flash drive containing personal information for 58,506 individuals went missing, said that it should provide credit monitoring and other identity theft protections to those affected. The board informed the state attorney general's office of the incident in December of last year, and confirmed that the missing flash drive contained the names, addresses, salaries, last four digits of Social Security numbers and other sensitive personal information for thousands.
Blumenthal urged the board to notify those affected right away, but it did not do so until the end of June. The notices also failed to explain the nature of the breach or what information was compromised despite explicit instructions to do so.
"Tens of thousands of individuals impacted by this security breach deserve the specifics and safeguards to protect against identity theft," Blumenthal said. "The Connecticut Teachers' Retirement Board has a moral and professional duty to promptly notify its members when private information is compromised, and provide protections."
The attorney general's office said it was contacted by several affected teachers saying that they did not understand the notifications because they contained very little information pertaining to how the breach happened or how much of their information could have been exposed.
Blumenthal said the board must send out a new round of notifications that better explains the facts of the incident and offers identity theft protection for two years, including at least $25,000 of insurance and reimbursement for the cost of placing and then lifting security freezes with all of the three credit bureaus.
According to a report on the incident from the Associated Press, a spokesman for the Teachers' Retirement Board said that while the flash drive has yet to be recovered, it also contained mostly public information, and every piece of data it contained was properly encrypted. The board considers the drive's disappearance to be a "low-risk loss," and the lengthy delay in the notification process was not intended to overly concern the affected members.