Steamboat Springs Stumbles Over Data Breach

March 3rd, 2009 Rob Douglas

As discussed here last week, my hometown of Steamboat Springs, CO suffered a data breach as a result of a laptop stolen during a burglary of the local school district office that has impacted upwards of 1,300 past and current Steamboat Springs School District employees.

Last Friday, I wrote a column titled Stolen Laptop Brings Identity Theft Risk for my local paper, The Steamboat Pilot & Today, offering a number of suggestions for both the school district and the employees that had their Social Security numbers stolen.

Today, the Steamboat Pilot & Today has a report titled District Charging Former Employees For Credit Monitoring on the school district’s response to the breach and the plan to offer credit monitoring.  As most readers know, the standard procedure around the country in a data breach that exposes personal identifying information that can be used to open a credit line is to offer at least one year of free credit monitoring paid for by the custodian of the records that were breached.

As you can guess from the title of today’s report, Steamboat seems to be taking a rather different approach.  Here’s the relevant portion of the Pilot’s report:

The Steamboat Springs School District is offering discounted credit monitoring for about 900 former employees whose Social Security numbers were on a stolen laptop, but some retirees aren’t pleased they have to pay anything to protect their credit.

The district will offer a year’s worth of credit monitoring for $40 to former employees whose Social Security numbers were on the laptop stolen from Finance Director Dale Mellor’s office the night of Feb. 24. That price is a discount from the regular price of $100 individuals would pay on their own for EquiFax monitoring, District Human Resources Director Anne Muhme said.

The district will cover the cost of credit monitoring for 423 current employees, including substitutes and other part-time positions.

The coverage for current employees will cost the district about $17,000, Muhme said. Covering past and present employees would have cost about $52,000.

The report goes on to provide quotes from a number of former employees who are – to say the least – unhappy that the school district is not paying for their credit monitoring.

Those employees have every right to be dismayed.  The school district should provide credit monitoring for all impacted employees regardless of whether they are current or former employees.  It goes without saying that identity thieves don’t differentiate based upon job status.

As the district’s decision appears to be based upon cost, the district should either find a more cost efficient means of protecting all those who had their Social Security numbers stolen or find the funds to  provide monitoring for everyone under the plan being offered to current employees.

A final note.  Towards the end of today’s report is perhaps the most bizarre response I’ve ever witnessed to a data breach.  You have to read it to believe it – so here it is:

Steamboat Springs School Board member John De­­Vincentis, a former Strawberry Park Elementary School principal whose Social Security number also was on the stolen laptop, said he has heard from several frustrated former employees. DeVincentis would like the district to show its concern and appreciation for those former employees without paying the $52,000 it would cost to provide monitoring for everyone.

“I’m looking for an in-between, something that keeps good feelings between the old staff and current staff and the School Board. Fifty-two thousand dollars is not worth it, probably, in my eyes,” he said.

DeVincentis suggested offering a picnic or a free school program for those affected.

“Just something that says you guys are worth at least a picnic or a talk or to do something fun together,” he said.

So let me get this straight.  A member of the school board is suggesting a picnic instead of credit monitoring?

Incredible.

In that case, I would suggest the only meal that would do justice at the picnic would be baloney sandwiches.  That way the former employees can be full of the same substance as school board member DeVincentis.

Posted in Credit Report, Data Breach, ID Theft, Identity Theft, SSN Identity Theft, Security Breach, information security, news | 2 Comments »

2 Responses

  1. Dissent Says:
    March 3rd, 2009 at 5:20 pm

    I, too, disagreed strongly with the offer by the district. As you correctly point out, this is not about concern or appreciation. It’s about people accepting responsibility that they have put others at risk of ID theft and minimizing the risk of harm to them. Much of the entire mess could have been avoided had the district encrypted the data at rest. Since they didn’t, they now need to accept responsibility and do the right thing for everyone who was affected.

  2. Jumanji Says:
    March 9th, 2009 at 9:17 am

    I find it interesting that the natural reaction to a data breach of personal information is to offer credit monitoring. This is a cheap and frankly does not protect your identity from being used. Instead credit monitoring is being positioned to limit the organization’s liability and demonstrate to the victims they are doing something. When in reality they did not take all the necessary steps to ensure that personal information entrusted to them remains private, personal and secure.

    Credit monitoring gives the consumer a false sense of security and protection. Credit monitoring does not deter identity theft, rather it is a tool to detect credit fraud. Credit monitoring serves as an AFTER-THE-FACT notification you are a victim.

    Credit monitoring does not detect all forms of identity theft. Only changes in your existing credit related accounts (credit cards, mortgage, car loan, LOC, cell phone) or when new accounts are opened in your name. These forms of identity theft account for less than 40% of all forms of identity theft.

    Credit monitoring will not detect the liquidating of existing bank accounts, use of your drivers license, using your name or Social Security number to gain employment (illegal immigrants and Homeland Security issues), IRS/tax liens, commit crimes in your name, obtain medical treatment/prescription drugs, weapon permits, etc.

    These data breach victims should also be advised to place fraud alerts with the credit bureaus. Something you can do for free. Fraud alerts serve as a deterrent tool but are successful only if the credit issuer follows through on the alert. Plus they only serve to protect you from new credit going through in your name.

    Identity theft is a crime, not an inconvenience, and takes many forms. Credit restoration will not stop the continued victimization because law enforcement doesn’t have the resource, time and manpower to investigate every case of identity theft. In fact they investigate less than 15% of all reported cases. This is why identity thieves will continue to use your personal information over and over again, on average 30 times.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.