EPA notified 5,100 employees and 2,700 “other individuals” on Tuesday about a March security incident that exposed their social security numbers, banking information, and other personal information contained in an agency database, according to a statement sent to the Washington Business Journal.
"EPA conducted a risk analysis, [which] indicates it is unlikely the personal financial information has been used. Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA. The agency has already added new safeguards in response to the incident", the agency said in the statement.
According to a 2008 document detailing EPA’s notification procedure for a breach of personally identifiable information, any delay in notification "should not exacerbate risk or harm to the individual."
The document also stated: “Individuals must understand they are subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring.”