MA town mistakenly emails personally identifiable information
On August 4, 2010, it was reported that officials in the town of Hingham, Massachusetts would be notifying approximately 1,300 individuals whose names and Social Security Numbers were mistakenly sent to about 30 town officials. Hingham officials indicated that they were notifying the state attorney general’s office and the Office of Consumer Affairs and Business Regulation of the breach in accordance with Massachusetts law.
A town official had emailed a document containing the personally identifiable information to about 30 department heads. When the official was notified that the document contained confidential personal information, he recalled the email, which had been sent to accounts maintained on the town’s protected server. The official said that about half of the emails had been successfully retrieved and destroyed before the recipients had opened them and seen the personal information.
Notably, however, approximately 11 of the 30 emails had already been automatically forwarded by the recipients to private personal accounts — off the town’s server — that were beyond the reach of the recall. These forwarded emails could theoretically have been breached through compromises of the servers of the personal accounts’ service providers. Town officials reported that the people who had forwarded the emails to the recipients’ personal accounts confirmed that the recipients had deleted the emails and sensitive information from their personal accounts. An official of a union representing town emergency workers has threatened legal action in connection with the breach. The union official complained that his repeated requests for information about the breach had not been answered. Town officials acknowledged that their initial response to the breach was slow, citing the summer vacations of various officials, including the town’s attorney, in the immediate aftermath of the breach.
While the risk of identity theft in this situation may be minimal, the matter illustrates how seemingly minor, inadvertent breaches of personally identifiable information can lead to very substantial costs. It is not unusual for out-of-pocket costs (including legal and forensic expenses, the costs incurred in providing notice, credit monitoring and call center services to the affected individuals), of a breach to be in the range of $40-$60 or much more per breached record. These are costs that municipalities and other governmental agencies can ill afford, but which can be significantly mitigated through well-negotiated insurance coverage that is tailored for these types of situations.