Burglars broke into the offices of a national retirement investment company in downtown Phoenix and stole four laptop computers, one of which had the Social Security numbers of 13,000 public employees, company officials said.
The burglary took place in early April, but customers affected were not notified until weeks later.
A spokeswoman for Nationwide Retirement Solutions said one computer contained personal information about employees enrolled in 65 separate deferred compensation plans in “outlying counties and municipal plans,” representing 12 percent of the company’s customers in Arizona.
Nationwide spokeswoman Carah Brodie declined to name the local governments affected, but said the information taken did not involve every employee in those counties and cities.
Nationwide Retirement Solutions, based in Columbus, Ohio, has more than 1.5 million public sector clients across the country, including a contract with Arizona state government.
“No state employees of Arizona were affected by the burglary,” Ms. Brodie said. She said the Phoenix Police Department is investigating the burglary, which occurred at the company’s office at 4747 N. Seventh St. sometime between April 7 and April 9. No arrests have been reported.
State employee information was secure on the company’s national computer server, Ms. Brodie said.
Arizona Capitol Times was unable contact police investigators, but Ms. Brodie said they told her they think the burglars were after the computers to sell them and were unaware of the information stored on them. The other three computers did not contain sensitive information, she said.
“They kicked in the door to enter the office,” Ms. Brodie said, adding that the information is secured by computer user ID and password protection.
She said all the employees whose information was on the computer were notified of the theft more than month later, and the company offered them assistance with their credit information.
Customers notified May 19
“Customer letters were mailed May 19,” Ms. Brodie said. “The investigation, in cooperation with local police, took some time.”
Ms. Brodie said more than 1,100 customers affected by the theft have enrolled in the company’s free credit monitoring and receive $25,000 in ID theft insurance. Another 966 customers have requested a free fraud alert service, and no one had reported misuse of their personal information
“Arizona law doesn’t require us to do anything, but we take privacy and security very seriously,” she said. “We don’t have any reason to believe that this information is going to be used, just that the thieves were after the equipment themselves for resale value, not knowing what if any information would be on it.”
Arizona soon will require holders of personal information to notify customers of any breach of security, with the passage in April of S1338, which was signed by Governor Napolitano. The law will become effective Jan. 1, 2007.
The bill also permits the state attorney general to bring charges for violation of the law, which will carry a civil penalty of not more than $10,000.
Another bill, S1347, would permit people to request that their credit information be frozen and not released to anyone, but the measure did not come up for final votes.
Ms. Brodie said the burglary was the first time company information has been stolen, adding it was a “worrisome” situation. The employee information was on the laptop of a sales representative, she said.
“There’s no blame here on an individual associate,” Ms. Brodie said. “That office was a victim.”
Computer serial numbers were given to police to track the computers if someone attempts to pawn them.
Nationwide says it has taken steps to further secure information stored on its laptops, including the removal of customer data from the Phoenix office laptops and encryption of all information on the hard drives.
The Phoenix metropolitan area had the highest per capita rates of identity theft in 2005, with 9,320 complaints filed with the Federal Trade Commission. Security breaches can include loss of misplaced computer disks or backup tapes, stolen computers, hacked data or compromised passwords.
What deferred compensation does
The state in 1975 established a deferred compensation program for employees to set up a supplemental retirement program. Nationwide was chosen to administer the program, which requires a minimum contribution of $20 per pay period, and state employees 50 years old and older may each defer more than $15,000 in 2006.
A seven-person governing committee established to oversee the program includes three state employees appointed by the governor, the director of the Department of Administration, the director of the Department of Insurance, and the director of the state retirement system. Yota Aguilar is the manager of the local office.
The program undergoes annual financial audits.
“The security of employee, contractor and customer personal information is of paramount concern to this administration,” said William Bell, director of the Department of Administration. “We are constantly improving and enhancing our physical and network security infrastructure as technologies evolve.”
Nationwide Retirement Solutions, a subsidiary of Nationwide Financial Solutions, would not release the amount of deferred compensation contributions in Arizona.
The federal Department of Veterans Affairs last month learned that an employee, a data analyst, took home electronic data from the VA that was stored in his home on a laptop computer and external hard drive. He was not authorized to take this data home.
The employee’s home was burglarized, and the computer equipment and other items were stolen. The electronic data stored on the computer included identifying information for millions of veterans.
As in the Phoenix burglary, authorities said believe the computer equipment, rather than any data on it, was the target of the theft. The VA said it is taking all possible steps to protect and inform all veterans, service members, and reservists potentially affected.
Records containing Social Security numbers and claims history, some credit card numbers and other private information were taken in a break-in in 2002 at Phoenix-based TriWest Healthcare Alliance, a defense contractor that provides managed health care for 1.1 million active duty personnel, their dependents and retirees in 16 states.
The Defense Department that year received an “F” grade for its computer security from a House Government Reform subcommittee.
Last year, the personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from Arizona Biodyne, a Phoenix-based managed care company. A safe containing backup tapes was stolen from its office at 8900 N. 22nd Ave.
In Tucson last year, personal information of 40 million credit card holders was taken by a computer hacker, the FBI said.
FYI
The prime sponsors of S1338 were Sens. John Huppenthal, R-20 and Linda Gray, R-10; and Reps. Doug Quelland, R-10; Trish Groe, R-3; Marian McClure, R-30, and Tom O’Halleran, R- 1.