At least one business owner whose company was affected when an Oklahoma Employment Security Commission employee lost a flash drive containing the Social Security numbers and payroll information of more than 5,500 Shawnee-area workers isn’t pleased with the way the state agency handled the incident.
Kurt Kalies, an audiologist and owner of Shawnee-based Hearing Health Care, Inc., said he become upset with the OESC when the state agency sent a certified letter to his business but failed to address it specifically to him.
“I just can’t believe they would send out that information to no recipient in particular,” Kalies said. “There was Social Security numbers and payroll information for every employee at the company. I don’t think that seems right to me.”
Kalies said he wasn’t the first to open the letter addressed to his company despite the fact he owns the business. He said that when he called an employee at the OESC told that she didn’t see a problem with how the situation was handled.
“She basically said: ‘That’s just the way we do it, we did what we needed to do and we don’t care,’” Kalies said.
John Carpenter, spokesman for the OESC, said the affected Shawnee-area employers were contacted by phone and that a certified letter was sent out around March 25 with instructions on how to monitor credit and watch for signs of identity theft.
“We haven’t had anyone else complain, at least not that I know of,” Carpenter said. “We’ve had a couple of reporters call but that’s it.”
Another issue that irritated Kalies was the fact the flash drive was pretty much accessible to anybody who comes to possess it.
“It was not password protected, it was not encrypted and it was in Excel,” Kalies said. “So, virtually any computer in the world can access this information.”
Carpenter confirmed the flash drive was not secure, a clear oversight on the part of the employee, he said.
Kalies also said the letter sent by the agency included the name of the OESC employee who lost the flash drive, a detail that puzzled him.
“I called the guy and talked to him and I believe that he probably just misplaced the flash drive and that it wasn’t done intentionally,” he said. “I thought it was pretty strange that his name was in the letter considering they [the OESC] were saying it was an accident.”
Carpenter wasn’t sure why the name appeared in the letter, either. He also wasn’t sure if the OESC would be held liable if one of the Social Security numbers fell into the wrong hands. In fact, he said Friday afternoon that this kind of thing doesn’t normally happen with sensitive data like what was reported lost down in Dallas around March 16.
“This is the first time we’ve had an incident like this, at least since I’ve been here,” Carpenter said.
Changes coming at OESC
For their part, the agency isn’t sitting idly by while 5,534 local Social Security numbers are lost and unaccounted for. Carpenter said that since the incident the OESC has formed a committee to look at ways to protect data and the identities of the people they serve.
“The agency is currently looking at ways to improve security with devices like that,” Carpenter said. “We have a laptop encryption policy in place, where all files on the laptop must be encrypted, but obviously this information wasn’t on a laptop.”
Carpenter also said the employee, who was attending a work-related conference in Dallas some time around March 16, has had “some personnel action taken against him,” although he didn’t indicate the man had been terminated.
Watch for further updates on this story as more information becomes available next week.
---
Andrew Knittle may be reached at 214-3926.
|
|
|
At least one business owner whose company was affected when an Oklahoma Employment Security Commission employee lost a flash drive containing the Social Security numbers and payroll information of more than 5,500 Shawnee-area workers isn’t pleased with the way the state agency handled the incident.
Kurt Kalies, an audiologist and owner of Shawnee-based Hearing Health Care, Inc., said he become upset with the OESC when the state agency sent a certified letter to his business but failed to address it specifically to him.
“I just can’t believe they would send out that information to no recipient in particular,” Kalies said. “There was Social Security numbers and payroll information for every employee at the company. I don’t think that seems right to me.”
Kalies said he wasn’t the first to open the letter addressed to his company despite the fact he owns the business. He said that when he called an employee at the OESC told that she didn’t see a problem with how the situation was handled.
“She basically said: ‘That’s just the way we do it, we did what we needed to do and we don’t care,’” Kalies said.
John Carpenter, spokesman for the OESC, said the affected Shawnee-area employers were contacted by phone and that a certified letter was sent out around March 25 with instructions on how to monitor credit and watch for signs of identity theft.
“We haven’t had anyone else complain, at least not that I know of,” Carpenter said. “We’ve had a couple of reporters call but that’s it.”
Another issue that irritated Kalies was the fact the flash drive was pretty much accessible to anybody who comes to possess it.
“It was not password protected, it was not encrypted and it was in Excel,” Kalies said. “So, virtually any computer in the world can access this information.”
Carpenter confirmed the flash drive was not secure, a clear oversight on the part of the employee, he said.
Kalies also said the letter sent by the agency included the name of the OESC employee who lost the flash drive, a detail that puzzled him.
“I called the guy and talked to him and I believe that he probably just misplaced the flash drive and that it wasn’t done intentionally,” he said. “I thought it was pretty strange that his name was in the letter considering they [the OESC] were saying it was an accident.”
Carpenter wasn’t sure why the name appeared in the letter, either. He also wasn’t sure if the OESC would be held liable if one of the Social Security numbers fell into the wrong hands. In fact, he said Friday afternoon that this kind of thing doesn’t normally happen with sensitive data like what was reported lost down in Dallas around March 16.
“This is the first time we’ve had an incident like this, at least since I’ve been here,” Carpenter said.
Changes coming at OESC
For their part, the agency isn’t sitting idly by while 5,534 local Social Security numbers are lost and unaccounted for. Carpenter said that since the incident the OESC has formed a committee to look at ways to protect data and the identities of the people they serve.
“The agency is currently looking at ways to improve security with devices like that,” Carpenter said. “We have a laptop encryption policy in place, where all files on the laptop must be encrypted, but obviously this information wasn’t on a laptop.”
Carpenter also said the employee, who was attending a work-related conference in Dallas some time around March 16, has had “some personnel action taken against him,” although he didn’t indicate the man had been terminated.
Watch for further updates on this story as more information becomes available next week.
---
Andrew Knittle may be reached at 214-3926.
