The Hendricks County Child Advocacy Center, Inc. (“Susie’s Place”) experienced a theft of computer equipment on December 25, 2012 (“Incident”), which may have contained certain information about charitable contributors or individuals who received services. Susie’s Place has been working with the Avon Police Department and the Department of Child Services (“DCS”) to mitigate the risk of identity theft resulting from the recent theft of computer equipment.
Susie’s Place takes its responsibility to protect information it stores very seriously, and sincerely regrets this loss of data. We realize individuals entrust us to protect their information, and we are committed to providing assistance to mitigate any harmful effects of this theft of computer equipment, are conducting a comprehensive review of security measures, and will be enhancing our administrative, physical, and technical safeguards to help reduce the likelihood of this type of situation from occurring again.
The following provides details about the nature of the Incident, what steps Susie’s Place is taking to help prevent such an event from occurring in the future, and suggestions for things individuals can do to protect themselves from identity theft.
What data was exposed?
The lost data set generally included three fields: names, contact information, and dates of birth for individuals who received services. The data set included this information for individuals who made charitable contributions or had received services from Susie’s Place. At this time, we do not believe Protected Health Information (PHI) was maintained in the computers, and no HIPAA violations occurred.
Records in the data set did not contain personal information such as Social Security numbers, medical records, insurance information, or financial institution information. Such information is neither collected nor stored by Susie’s Place. Records related to interviews conducted by Susie’s Place staff are normally transferred to law enforcement or DCS personnel upon conclusion of the interview and in the unlikely event possession of this information was not immediately transferred, such information is only retained a maximum of 45 days.
How did the theft happen?
In violation of criminal laws, unknown individuals broke into and entered Susie’s Place Avon, Indiana office. Although the computer equipment was protected with a complex password, and thus may not be easily accessed, some data which is available in the public domain may have been unencrypted. The individuals exerted unauthorized control over the property.
On December 25, 2012, a neighboring tenant also reported items stolen from its offices. Based upon the carelessness of the perpetrator(s), nature of items stolen, and vandalism to the office, Susie’s Place is of the opinion the individuals did not have the intent in accessing the data from the computer equipment.
It is important to understand any identifying information was most likely not the intended target of the theft but rather was coincidental to a pattern of random office burglaries in the area. In all likelihood, the perpetrator(s) does not realize the data is on the computer equipment, could not be familiar with the specialized software used by Susie’s Place, nor would he or she know how to use it to commit identity theft. To be able to use the computer equipment at all, the person would need either to guess the complex password or have access to sophisticated computer forensics technology. To date, Susie’s Place has no indications any data has been misused and most data maintained in the computer equipment is already available in the public domain (ie name and mailing address).
What is Susie’s Place doing to assist individuals?
Susie’s Place is encouraging individuals to monitor and review their credit reports using www.annualcreditreport.com. Individuals can request a free credit report online, request a report by phone or request a report through the mail. Free credit reports requested online are viewable immediately upon authentication of identity. Free credit reports requested by phone or mail can be processed within 15 days of receiving your request.
This site allows you to request a free credit file disclosure, commonly called a credit report, once every 12 months from each of the nationwide consumer credit reporting companies: Equifax, Experian and TransUnion.
You also have the right to ask consumer credit reporting companies place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide consumer credit reporting companies. As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file.
Equifax: 1-877-576-5734; www.alerts.equifax.com
Experian: 1-888-397-3742; www.experian.com/fraud
TransUnion: 1-800-680-7289; www.transunion.com
Susie’s Place encourages you to consider taking advantage of credit monitoring services by contacting the credit reporting companies. Utilizing these services will help you monitor trends to see if identity theft may be occurring as a result of the Incident and could help locate the source of any such identity theft. Susie’s Place will monitor any reports of suspected identity theft related to the stolen computer equipment and will assess additional protections as circumstances may warrant. To date, no reports of misuse of the data on the computers have been reported.
Preventing Fraudulent Use of Information:
Susie’s Place encourages all individuals to be vigilant in protecting themselves from third parties who may try to use their identity for nefarious purposes and to undertake steps recommended by the FTC at www.consumer.ftc.gov/features/feature-0014-identity-theft
Susie’s Place strongly recommends you consider updating contact and password information on your financial accounts if you have not already done so. If you receive any suspicious calls or reports erroneously suggesting you have ordered or requested certain goods or services, you should follow up promptly with the seller, and immediately notify the Avon Police Department (ie www.avongov.org/department/?fDD=2-0) and financial institutions if you confirm your identity has indeed been stolen.
What Steps is Susie’s Place Taking to Prevent Future Incidents?
Susie’s Place has had a robust privacy and security infrastructure in place for several years to protect information it collects or stores, and it also applies those same safeguards any personally identifiable information (PII) which may have been transmitted to it. However, as a result of the Incident, Susie’s Place is reviewing and enhancing its security policies and procedures.
For example, Susie’s Place is in the process of installing revolutionary, advanced technology security systems and enhancing its encryption capabilities and requirements. Susie’s Place will be evaluating and purchasing new encryption software which will be deployed to all desktops and laptops. The new software will automatically encrypt all data on the hard drive as well as any files copied to removable media (CDs, flash drives, etc.). Also, any USB device plugged into a Susie’s Place computer will be automatically encrypted.
Susie’s Place is also intensifying its employee training to require every employee and contracted staff member who has exposure to nonpublic information complete a privacy/security certification program. Susie’s Place has recently completed updating its existing information inventory and associated access privileges to ensure only individuals with a specific need to access applications or files have such access. Susie’s Place will continue to consider and evaluate additional controls which may be appropriate.
For Further Information:
Individuals who have further questions about the Incident can contact the Board of Directors at firstname.lastname@example.org or complete the form below.
The Susie’s Place Child Advocacy Center Board of Directors
Frequently Asked Questions
- What type of information was involved? Information on the Susie’s Place computers contained demographic information, such as name, address etc. for children and families served by Susie’s Place and our donors and supporters. It did NOT include social security numbers, credit card information, bank account information, or any other financial details. NO forensic interviews were released or compromised.
- How do I know if my information was in any Susie’s Place database? Susie’s Place is working diligently to notify anyone that may have been impacted by the burglary of our facility.
- Were the Susie’s Place operations disrupted by this burglary? Susie’s Place did have to close the Avon child advocacy center for a period of time. During that closure, Susie’s Place worked with Brownsburg Police Department to ensure that any children requiring forensic interview services could be served by Susie’s Place staff at their facility. The Susie’s Place Bloomington facility’s operations have remained uninterrupted.
- What can I do to support Susie’s Place at this time? The most significant need for Susie’s Place at this time is monetary support. Susie’s Place is a 501(c)(3) organization and all donations are tax deductible. To make a donation, please visit our donation page. You can also check our website and Facebook page for an updated Wish List of current needs.
Contact Susie’s Place with Questions or Concerns