The Environmental Protection Agency (EPA) announced last week a March 2012 data breach which affected about 8,000 persons. In a statement to the Washington Business Journal, tha EPA said that it had notified about 5,100 current employees and about 2,000 "other individuals." The EPA did not state whether contractors were involved.
The information lost or stolen included Social Security numbers, bank account routing numbers and home addresses. The EPA has offered one year of free credit-monitoring services to breach victims.
Several news sources reported that a computer virus, possibly delivered via an e-mail attachment caused the breach. The affected computers were reportedly hazardous-waste program servers frequently used by contractors.
It is unclear exactly why the agency took two four months to notify breach victims. The agency stated that it had performed a risk analysis about the breach, and like most other breach notices concluded that the exposed data had not yet been used fraudulently. In 2008, the EPA published its breach notification guidelines (Adobe PDF), which stated:
"... all notification for Category I PII incident should take place within (48) business hours of the completion of the risk evaluation and score determination. The time between discovery and reporting is one (1) hour. The time between reporting and risk evaluation should not exceed (48) hours... Each Category within its provided constraints should also consider legitimate time requirements of law enforcement and national security entities... the delay should not exacerbate risk or harm to the individual, Agency or related investigations..."
When it is your bank account information lost or stolen, early notification seems best so consumers can check for any fraudulent charges.
In testimony before the U.S. Senate this year, the Government Accountability Office (GAO) reported some troubling statistics about data security at federal agencies. There were 15,500 breaches during 2011, up 19.2% from 13,000 breaches during 2010.