Is it beginning to seem like nary a day goes by without news of some chunk of data being lost, stolen, or breached? Much the same way lack of disclosure is the story that's almost as big as news of the breach itself with the recent hacking of over 300 bank home pages, in this new case involving the personal data of 330,000 certified public accountants, failure to properly disclose the potential compromise is once again a big part of the story. According to a story by ComputerWorld about the incident, more than two months passed between the time the American Institute of Certified Public Accountants (AICPA) noticed the data was missing and the time that the affected people were notified. Wrote ComputerWorld's Jaikumar Vijayan:
.....the American Institute of Certified Public Accountants (AICPA) today confirmed that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February.....the hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies.....it was on its way back to the AICPA via FedEx but failed to arrive...... the package containing it was due back at the AICPA "towards the end of February.".....The AICPA began notifying affected members of the potential compromise of their personal data on May 8.
From the way the story is written, it appears as though the missing drive had to be reconstructed in order to figure out who's personal information it contained -- a step that preceded the disclosure. But if you ask me, the minute that drive went missing, the organization should have sent a notice out to all of its members. Why not? Right? Better safe the sorry (if you ask me). And, in this case, sending some notice out to all of the organization's members apparently would not have been too far off from the list that had to be notified anyway.
Not only is this a reminder of why organizations can't be trusted to self-police themselves on the disclosure issue (as some legislation going through Congress suggests they should be), it's also a reminder of why we definitely need something at the federal level. Breaches like this one can easily cross state lines. Which state law would take jurisdiction? The one where each CPA is located? The one where the AICPA is located? The one where the hard drive was apparently lost by FedEx?
To the AICPA's credit, it's making good on the loss by offering a year's worth of free credit monitoring to its members. But that doesn't absolve them or any other organization from the responsbility to disclose such losses on a more timely basis.