The Texas comptroller's office said it has spent $1.8 million to notify victims and to hire consultants to remedy the data breach. Lawsuits appear likely as petitions are filed.
The Texas
state comptroller's office has already spent $1.8 million to mitigate the yearlong
data breach in which names and Social Security numbers were exposed. The total
cost is expected to be even higher as the lawsuits start rolling in.
Personal
information belonging to approximately 3.5 million people in Texas was accidentally
exposed on a publicly accessible FTP server for a full year before it was
detected, Texas comptroller Susan Combs disclosed on March 31. Since then, the
comptroller's office has spent $1.2 million to mail letters to those affected
and $393,000 for a call center to handle calls from people looking for
information and assistance. Another $290,000 went to Deloitte Consulting and
Gartner for services related to assessing the damage and improving IT security
in the comptroller's office.
Deloitte
consultants were hired to determine the extent of the information exposure, and
Gartner consultants will be performing an IT security risk assessment of the
Comptroller's Office. They will "examine information-security policies and
procedures at the agency from an outside perspective," according to the
comptroller's office.
Deloitte has
confirmed that no additional confidential information has been exposed,
according to the office. Gartner's assessment will identify opportunities for
improvement in the agency's security and risk-management processes and will
include recommendations for the future.
"I and other
Texans whose personal data was potentially exposed need to feel confident that
an incident like this will never happen again," Texas Comptroller Susan Combs
said in a statement. "We will follow our consultants' advice and do everything
in our power to ensure that information entrusted to state government is
secure."
The head of
innovation and technology, and the head of information security have been
fired, along with two other employees, according to the statement.
Those whose
personal information was exposed are eligible to receive discounts for
fraud-related assistance, including credit monitoring, Social Security number
protection, Internet surveillance and $10,000 in identity theft insurance from
Experian and CSIdentity Protector.
While no one
has filed lawsuits related to the breach yet, that remains a possibility. The
Texas Civil Rights Project and a lawyer representing one of the victims filed a
pre-suit investigation petition on April 26. The petition asked for a
deposition from Combs, and is generally the first step before a lawsuit is
filed.
The deposition
seeks to determine who was responsible for the breach, what procedures were followed
and violated, what steps are being taken to prevent this in the future, and
what the exact costs are, according to Chuck Herring, a lawyer for Sarah
Canright, a teacher affected by the breach.
"The
incomplete, misleading statements issued by Comptroller Combs and the
Comptroller's Office to date raise more questions than they answer. Texans
deserve to know the truth concerning how this illegal and unconstitutional
invasion occurred," the lawyers wrote in the court documents.
In 2009, the
Department of Veteran Affairs settled a class action lawsuit brought after a
laptop containing names, dates of birth and Social Security numbers of 26.5
million current and former military personnel was stolen. The agency paid $20
million.
A recent Ponemon Institute report noted that the average
cost of "remedying" a data breach was around $7.2 million. The same report also
warned that organizations that move quickly to disclose and repair the breach,
as the Texas comptroller's office is, tended to spend 54 percent more per
record than the slow-reacting organizations.
The
information from the TRS (Teacher Retirement System) of Texas, the Texas
Workforce Commission and the ERS (Employees Retirement System) of Texas were
left on a public FTP server when they should have been secured immediately. The
files also weren't encrypted as required by Texas administrative rules, and
other internal procedures weren't followed, Combs said.
Scammers have
already taken advantage of the breach, as there have been cases of victims
receiving phone calls at home wanting to confirm their personal information. In
one scam, the caller identified himself as "Mike with ERS" and said he wanted
to confirm the last four digits of the call recipient's Social Security number.
When an employee refused to provide the information, "Mike" reportedly said,
"Good luck to you," and disconnected.
ERS, TRS and
the Texas Workforce Commission have said they are not making any phone calls.
The
comptroller's office started sending out letters April 13 informing Texans
about the breach
The Texas
Attorney General's office and the FBI have not yet completed their investigation.
Email
Print
