http://securityratty.com/tag/cbiz Tue, 29 Jan 2008 09:51:35 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/eeaa57364e7dfa30a2ef24d6c7ffa570 http://securityratty.com/article/eeaa57364e7dfa30a2ef24d6c7ffa570 Security Breach

Date Reported:
1/28/07

Organization:
T. Rowe Price

Contractor/Consultant/Branch:
T. Rowe Price Retirement Plan Services
CBIZ Benefits and Insurance Services Inc.

Victims:
Participants in various T. Rowe Price retirement plans

Number Affected:
35,000

Types of Data:
Names and Social Security numbers

Breach Description:
Computers were stolen from the office of CBIZ Benefits and Insurance that contained sensitive personal information belonging to participants in “several hundred” T. Rowe Price retirement plans.  CBIZ is a vendor for T. Rowe Price that was helping the company to prepare IRS Form 5500's.

Reference URL:
Investment News online story

Report Credit:
Investment News

Response:
From the online source cited above:

T. Rowe Price Retirement Plan Services alerted 35,000 current and former participants in “several hundred” plans that their names and Social Security numbers were contained in files on computers that were stolen, said Brian Lewbart, spokesman.

taken from the office of CBIZ Benefits and Insurance Services Inc., which prepares the 5500s for T. Rowe Price

The data were kept on the computers to help complete filing of Form 5500
[Evan] I have a feeling that the information was only meant to be kept on the computers temporarily until the Form 5500's were complete.  This breach demonstrates the importance in protecting confidential information no matter where it resides, no matter how long.  Confidential information must remain protected in-transit and at-rest, even if temporary.  Obviously, encryption could have been an effective defensive layer.

Other personal information, such as addresses, and birth dates, was not on the computers.
[Evan] This information can be obtained publicly anyway, so no help here.

The company offered those affected a free one-year subscription to an online credit monitoring service and up to $25,000 of identity theft insurance, as well as tips on protection from identity theft.

Commentary:
Not much is known about this breach yet.  I am sure that there is more to come.

This is yet another case of a lost or stolen computer containing sensitive personal information without encryption (assuming there is no encryption).

Past Breaches:
Unknown

]]> Tue, 29 Jan 2008 09:51:35 +0000 sensitive personal information personal information information confidential information rowe price insurance identity theft insurance cbiz benefits cbiz 35,000 T. Rowe price plan participants alerted