A data breach that involved 17,000 current and former employees of pharmaceutical giant Pfizer went unreported for six weeks after it was discovered, according to Connecticut Attorney General Richard Blumenthal.
Blumenthal obtained a letter from Pfizer attorney Bernard Nash, which said the breach occurred on March 26, when an employee hooked up a laptop containing sensitive personal information to a peer-to-peer (P2P) file-sharing network.
An "independent computer security consultant" contacted Pfizer on April 18 to notify them of the breach, but Pfizer did not start formally mailing notices to affected individuals until June 1, and mailings were continuing as late as June 6.
The letter, uploaded to the Web site of New London, Connecticut newspaper TheDay, details Pfizer's response to Blumenthal's inquiry regarding the breach through Nash. Among Pfizer's points:
The company did not believe the breach constituted "criminal intent," and thus did not notify law enforcement agencies besides the AG office and other agencies it was "required to notify by statute."
The personal information exposed included names, Social Security numbers, and in some cases, home and cell phone numbers. Pfizer claimed to be continuing to send notifications to affected individuals as it found out about them.
Although Pfizer supported Blumenthal's recommendation of informing affected victims to obtain credit freezes, Pfizer declined to pay for credit freezes itself, stating that such a move would be seen as a "tacit endorsement" of credit freezes.
Pfizer did not say why so much time passed between the breach and notification of the affected employees, which Blumenthal called "problematic."
"The potential damage to people during that time is very troubling, and (employees) could have taken action themselves if given proper notification," he said.
The Pfizer incident illustrates the widespread disparity in the handling of data breaches.Each state has different laws governing data breaches, some demanding immediate disclosure, others mandating disclosure only after law enforcement and internal company authorities have investigated.
California's data breach laws, widely considered to be among the strongest in the nation, mandated that data broker ChoicePoint reveal that it had sold information on 145,000 American citizens to a ring of Nigerian criminals in 2005.
There are no federal laws governing the conditions for data breach disclosures currently, a situation hampered by battles between industry lobbyists and consumer advocates over "risk standards" for notifying citizens that they may be affected. Congress has tried to pass legislation on several occasions dictating the terms of how breaches should be disclosed, but critics point out that the federal laws will preempt stronger state laws and remove individual rights to claim redress in case of a breach.
Recently the Government Accountability Office published a report stating that data breaches were hard to link to cases of identity theft,and that businesses and government agencies should adopt risk-based standards for deciding whether or not to disclose that a breach occurred.
Critics of the "risk-based standard" say that trusting agencies and businesses to police their own data breaches will ensure that victims may never know they were affected until months after the fact -- when it may be too late.