Apology sent over CalPERS privacy error

August 22, 2007

By Darrell Smith - Bee Staff Writer


State pension fund officials apologized Tuesday to hundreds of thousands of retirees whose Social Security numbers were printed on brochures mailed out last week and vowed to take immediate steps to ensure that such an error does not happen again.

Roughly 445,000 retirees across the state received the brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number appeared -- without hyphens -- on the address panel.

"While it is unlikely that someone would recognize the series of numbers as being a Social Security number except you, we consider this a serious incident," read a letter to state retirees explaining the breach.

The discovery shocked Jeanette Brown of Rancho Cordova. Retired for three years after a 39-year career at the state Franchise Tax Board, the former analyst said she was "very aware of Social Security issues and privacy," alerted former colleagues of the breach, and fired off letters to CalPERS and the Governor's Office.

"In this day and age, there's no excuse to make this error. Somebody goofed," Brown said.

The error occurred in-house. Staffers who obtained the computerized address files did not realize Social Security numbers were on the files, CalPERS spokeswoman Pat Macht said.

"We're very sorry it happened. It was very inadvertent. We've apologized to each member and given them options to protect their identity," Macht said.

CalPERS officials would not discuss whether any disciplinary action was meted out. The agency has responded by:

. Sending personal letters to retirees explaining what happened. The letter provides addressees and phone numbers for credit agencies, explains that members can call to place a fraud alert advising credit agencies and creditors to look for suspicious activity, and advises members how to check for fraudulent credit activity.

. Launching a full internal review of how it uses and stores information.

. Adding a level of checks and balances. CalPERS' Office of Information Security and a senior CalPERS official must sign off on any personal information released in mailings by the CalPERS information technology services division. All requests for member data are funneled through that unit, and it determines why the data are needed.

. Implementing information security awareness training for staff, including how confidential information is protected and why it should be safeguarded.

. Destroying electronic files containing the numbers that were stored at an outside mail house.

. Considering use of unique identifiers that can be used for CalPERS members rather than Social Security numbers.

. Providing a toll-free phone line to answer questions. Call (888) 225-7377.

All are good signs, said Russ Heimerich, a spokesman for the state Department of Consumer Affairs.

"It shows me they're doing the right things," Heimerich said. It's regrettable that it takes something like this, (but) they recognize a major mistake has been made and they're working to fix it."

He also said the agency is working to allay fears of information fraud and said the threat is lower than when Social Security numbers are sent electronically.

"That minimizes it a lot. The number of eyes that are going to see it are going to be limited," Heimerich said. "(The breach) is still severe," but that the Social Security numbers were only on hard copies limits the potential damage to CalPERS members.

The error comes as more and more Americans are concerned about the possibility of identity theft. The state's Office of Privacy Protection cited a Zogby Interactive survey in March that reported 91 percent of respondents said they were concerned that their identity might be stolen and used to make unauthorized purchases.

Identity theft was on Sacramento resident Sharon Schroepfer's mind Tuesday.

"What is our recourse? How do we protect ourselves?" said Schroepfer, who retired three years ago from the Department of Health Services. "From a broader consumer perspective, this could happen to anyone."

An e-mail from a former colleague alerted her to the breach. The message sent her to the recycling bins to find the seemingly innocuous mail she had tossed. Identity theft experts recommend destroying such information with a criss-cross shredder.

"We live in an age of a lot of information going in a lot of different directions," the 59-year-old Schroepfer said. "You have to scrutinize everything."

main page ATTRITION feedback