Speedmark, a marketing services firm that employs "mystery shoppers" to observe employee behavior for client companies, was hit with a data breach when thieves stole computers containing some shoppers' personal data from the company's Woodlands, Texas office.

Several computers were taken, one of which contained a database with personally identifying information on mystery shoppers working for Speedmark. The information included names, addresses, e-mail accounts, and Social Security numbers of Speedmark employees and contractors.

The theft was discovered on Dec. 16, 2006, but many shoppers contracted to Speedmark did not receive letters notifying them of the breach until mid-February, 2007.

Many shoppers for Speedmark were frustrated at the length of time the company took to disclose the breach, and by the fact that the letters were mailed as standard postage rather than email or overnight mail, according to comments posted on Volition.com, an online message board that caters to mystery shoppers and independent contractors.

"I received my letter today, over two months after this happened!" fumed shopper "NatashaM." "In my opinion, two months is entirely too long to hear about this. I agree with another poster that stated an e-mail should have been sent immediately (as in the same week of the event) and then they could follow it up with this badly xeroxed letter mailed substandard class."

One reader posted a transcript of the notification letter from Speedmark president Scott Hiller. In the letter, Hiller said that the information on the computer was password-protected, and that the company had notified local law enforcement of the theft.

"Speedmark takes the security of your personal data seriously," Hiller said. "Accordingly, we have taken steps to ensure the security of our premises and equipment to the best of our ability, including security guards during non-business hours until further notice."

Another shopper contacted Speedmark's customer service to get more information.

The company replied that breach notification had taken so long because they company had to "first restore the data from back-ups, identify those who were possibly affected, and contract with a vendor to produce and mail 35,000 letters."

"Notice was provided via mail because we did not have agreements from our shoppers to use email as an acceptable mode of notification," the company said. You must actually stipulate that email (or fax) is acceptable notice to you, or any formal notice must be delivered via US Postal Service in order to be considered a valid delivery attempt of the notice. Without the stipulation, email would not have been sufficient legal notice."

However, an attorney consulted by ConsumerAffairs.com said there was nothing stopping the company from sending emails as a courtesy and following up with a letter.

"It is the height of absurdity to say that because postal mail is the specified form of legal notification, the company's managers couldn't take five minutes to send everyone an e-mail telling them about the theft and alerting them to watch their mail," said the attorney, who asked not to be identified because she did not have first-hand knowledge of the case.

Speedmark representatives refused to comment on the case to ConsumerAffairs.com.

Don't Mess With Texas Data

Under Texas state law, disclosure of data breaches must occur "as quickly as possible," unless law enforcement requests a delay while investigating the incident or "or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

William Ballard, the detective assigned to the case, told ConsumerAffairs.com that after two months, the case had "no leads and nowhere to go."

"We have no suspects, the fingerprints we got from the scene aren't usable, and no information," he said. Ballard was investigating the possibility that the Speedmark break-in was part of a ring of computer thefts in the Dallas and Houston areas, as he claimed he had seen a "rash" of cases in recent weeks.

"They just vanish into thin air," Ballard said.

The Mysteries Of Mystery Shopping

The Speedmark case is not only the latest example of a data breach arising from computer theft, but also an indicator of how affected customers and employees can have difficulty addressing the problem.

Mystery shoppers are often employed to work for big companies by third-party vendors such as Speedmark. As such, they are treated as independent contractors, and have to furnish personal information to the hiring vendor for tax purposes -- even if they never get any offers to work for a client.

In addition, mystery shoppers are often easy prey for scammers and con artists looking to cajole cash out of the unsuspecting, often through unneeded "fees" or phisher e-mails.

A mystery shopper who asked to remain anonymous tipped ConsumerAffairs.com regarding the breach. The person noted that the non-disclosure agreements mystery shoppers sign when working for clients would make it difficult to notify authorities and media regarding the theft.

"Are they violating [non-disclosure agreements] with others by admitting they are a mystery shopper?" they asked. "Of course, they blow cover if they appear publicly and can no longer work. You see the conundrum the shoppers are in?"