CONSUMER NEWS    RECALLS    COMPLAINT FORM    SCAM ALERTS  


Complain about a product or service
Small Claims Guide | Class Actions | Lemon Law | FAQ | Resources | Newsletters | Spanish
Automotive    Education    Electronics    Family    Finance    Health    Homeowners    Shopping    Travel   
NEWS   Latest |  Archives |  Auto |  Cells, etc. |  Computers |  Financial |  Health |  Homeowners |  Parents |  Privacy |  Scams |  Seniors |  Travel

Pfizer Keeps Data Breach Quiet

Six-Week Notification Delay Called "Problematic"


By Martin H. Bosworth
ConsumerAffairs.com

July 17, 2007
A data breach that involved 17,000 current and former employees of pharmaceutical giant Pfizer went unreported for six weeks after it was discovered, according to Connecticut Attorney General Richard Blumenthal.

Blumenthal obtained a letter from Pfizer attorney Bernard Nash, which said the breach occurred on March 26, when an employee hooked up a laptop containing sensitive personal information to a peer-to-peer (P2P) file-sharing network.

An "independent computer security consultant" contacted Pfizer on April 18 to notify them of the breach, but Pfizer did not start formally mailing notices to affected individuals until June 1, and mailings were continuing as late as June 6.

The letter, uploaded to the Web site of New London, Connecticut newspaper TheDay, details Pfizer's response to Blumenthal's inquiry regarding the breach through Nash. Among Pfizer's points:

• The company did not believe the breach constituted "criminal intent," and thus did not notify law enforcement agencies besides the AG office and other agencies it was "required to notify by statute."

• The personal information exposed included names, Social Security numbers, and in some cases, home and cell phone numbers. Pfizer claimed to be continuing to send notifications to affected individuals as it found out about them.

• Although Pfizer supported Blumenthal's recommendation of informing affected victims to obtain credit freezes, Pfizer declined to pay for credit freezes itself, stating that such a move would be seen as a "tacit endorsement" of credit freezes.

Pfizer did not say why so much time passed between the breach and notification of the affected employees, which Blumenthal called "problematic."

"The potential damage to people during that time is very troubling, and (employees) could have taken action themselves if given proper notification," he said.

The Pfizer incident illustrates the widespread disparity in the handling of data breaches.Each state has different laws governing data breaches, some demanding immediate disclosure, others mandating disclosure only after law enforcement and internal company authorities have investigated.

California's data breach laws, widely considered to be among the strongest in the nation, mandated that data broker ChoicePoint reveal that it had sold information on 145,000 American citizens to a ring of Nigerian criminals in 2005.

There are no federal laws governing the conditions for data breach disclosures currently, a situation hampered by battles between industry lobbyists and consumer advocates over "risk standards" for notifying citizens that they may be affected. Congress has tried to pass legislation on several occasions dictating the terms of how breaches should be disclosed, but critics point out that the federal laws will preempt stronger state laws and remove individual rights to claim redress in case of a breach.

Recently the Government Accountability Office published a report stating that data breaches were hard to link to cases of identity theft,and that businesses and government agencies should adopt risk-based standards for deciding whether or not to disclose that a breach occurred.

Critics of the "risk-based standard" say that trusting agencies and businesses to police their own data breaches will ensure that victims may never know they were affected until months after the fact -- when it may be too late.



Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.


Consumer News

May 17 2008

Recent Recalls & Safety Alerts

READER SERVICES

Print, Email & More

Subscribe

Free consumer newsletters
Sign up now!



Back to the top |

Advertisement


Home | Rogues Gallery | Good Guys | Complaint Form | News | Recalls | Search | Video | FAQ |
Consumer Resources | Small Claims Guide | Lemon Law | Newsletter | Contact Us
Advertise With Us | Testimonials | Newsroom | RSS Feeds | Radio | Job Postings



Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice.  ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof. 

Copyright © 2003-2008 ConsumerAffairs.com Inc.  All Rights Reserved.