Data Breach Revelations Continue

June 19, 2006 ( - Revelations about security breaches compromising personal customer data have continued in recent days with word that one provider's insurance customers and New York state employees have fallen victim to the crimes.

The new revelations come as Congressional lawmakers continue pondering several bills that would establish a national standard for when providers must notify customers of such breaches – including one proposal that has drawn fire from opponents who allege that it weakens existing state regulations.

The latest example, according to news reports, was the revelation that i nsurance giant American International Group (AIG) had lost personal identifying information on about 970,000 consumers through a burglary at an undisclosed office in the Midwest .

AIG received lost records from 690 different insurance brokers, on behalf of possibly thousands of employers, seeking group coverage for a type of supplemental medical insurance for catastrophic claims, according to the news reports. The lost records include names and Social Security numbers. According to AIG, the March 31 break-in involved the loss of both a laptop computer and a file server with insurance applicants’ personal records on it. AIG said that it planned to advise affected consumers by the end of the week.

“So far, we’re not aware of any misuse,” said AIG spokesman Chris Winans. “We didn’t want to inadvertently inform the thief that he had a computer with sensitive information on it.”

A second high-profile data breach occurred whenNew York state officials admitted that they were unable to locate a missing computer cartridge with the names, salaries and Social Security numbers of more than 1,300 state workers that was being sent to the state Capital via a courier service.

Finally, ING is mailing letters today to about 13,000District of Columbia workers and retirees whose personal data – including Social Security numbers – is stored in a laptop stolen last week from thesoutheast Washington home of an ING US Financial Services employee. The company letter will alert the account holders to the risk of someone using the information to commit identity theft, spokeswoman Caroline Campbell said. The company is also telling customers that it will set up and pay for a year of credit monitoring and identity fraud protection.

All in all, according to one news report, at least 40 data breaches have been reported publicly since the break-in at AIG’s offices. One of the largest known breaches occurred last month when a Veterans Affairs Department employee lost the records of 26.5 million veterans when a burglar broke into his Maryland home and lifted his laptop computer and an external hard drive.The computer and hard drive also contain the records of up to 1.1 million active-duty military personnel (See Veterans Affairs Bars Employee-owned Computers and Restricts Offsite Network ).

Meanwhile, lawmakers are considering the Financial Data Protection Act of 2006 (HR 3997), which some say would weaken state laws requiring disclosure of security breaches. Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach “is reasonably likely to result in harm or inconvenience” to individual consumers.

US Representative Steve LaTourette (R-Ohio), t he chief author of (HR 3997), said he expects his legislation to be combined with another privacy-related bill before coming up for a vote soon in the House. The Data Accountability and Trust Act (HR 4127) contains a stronger disclosure provision for security breaches.