Global investment management firm T. Rowe Price has admitted to thieves stealing two laptops containing the sensitive information of thousands of 401(k) participants from the St. Louis office of a third-party contractor.
The hard drives contained the names and Social Security numbers of 35,000 people who are no longer employed by companies, but still enrolled in their retirement plans, T. Rowe spokesman Brian Lewbart told SCMagazineUS.com today. The ex-workers of hundreds of companies are affected.
The third-party provider, CBIZ Benefits and Insurance, was contracted by T. Rowe to prepare IRS forms 5500 for these individuals, Lewbart said. The forms required certain personal information, which was stored on the unencrypted computer hard drives.
“It's something the government requires to more formally track where people have vested retirement benefits, so down the road, it makes sure people don't lose track where they may have retirement benefits,” he said.
Lewbart said that when the two laptops were stolen on Christmas Eve, the contractor was not violating any T. Rowe policies, and the two firms plan to remain partners.
However, John Geffert, associate counsel for parent company CBIZ Inc., told SCMagazineUS.com on Wednesday that workers are supposed to keep sensitive data off the hard drive and on the local network.
"In this case, the policy may not have been followed," he said. "We're working with people's recollections on what they think they may have had on the hard drive."
The data had been transferred to the hard drive so it could be uploaded to a CD being sent to T. Rowe, Geffert said. Workers may have forgotten to delete the information from the laptop's "Recycle Bin."
"We've made a move to try to prevent something like this from happening again," he said.
Geffert said the CBIZ division affected by the breach - CBIZ Human Capital Services - has since installed encryption software on its laptops, but it is not considered industry standard to do so.
"It's very easy to ask that question (why were the laptops not encrypted?) in retrospect and hindsight," he said.
But experts said encryption should have been part of the contract between the two companies.
“Based on the way the world has changed today, any personally identifiable information should be encrypted at rest,” Marcus Sachs, director of the SANS Internet Storm Center, told SCMagazineUS.com today. “If it's not, then there should be extra measures taken to provide physical security.”
Lewbart said there is no reason to believe the burglars were after the data on the machines, which were protected by multiple levels of password controls, and no evidence exists that any of the information has been misused.
“We do know that [CBIZ is] now in the process of installing encryption on the computers,” he said. “We certainly accept full responsibility.”
Another five laptops also were taken in the burglary; they contained the personal information on about 100 people unrelated to T. Rowe, Geffert said, declining to discuss specifics.
T. Rowe is offering victims one-year of free credit monitoring, which includes $25,000 in identity theft insurance. The company is also advising affected parties of a number of identity-protection steps they can take, such as placing fraud alerts on their accounts.
Sachs said companies such as T. Rowe should require at least the same security standards in their partners as they personally have in place. Basic hard drive encryption is not a complex solution.
“If you're running any of the popular operating systems – Microsoft, Linux or Apple – [encryption is] usually just a mouse click,” he said. “You just turn it on. It's built into the operating system.”