EPA takes four months to inform employees of data breach

EPA notified 5,100 employees and 2,700 “other individuals” on Tuesday about a March security incident that exposed their social security numbers, banking information, and other personal information contained in an agency database, according to a statement sent to the Washington Business Journal.

"EPA conducted a risk analysis, [which] indicates it is unlikely the personal financial information has been used. Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA. The agency has already added new safeguards in response to the incident", the agency said in the statement.

According to a 2008 document detailing EPA’s notification procedure for a breach of personally identifiable information, any delay in notification "should not exacerbate risk or harm to the individual."

The document also stated: “Individuals must understand they are subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring.”

What’s hot on Infosecurity Magazine?