University addresses stolen laptop
November 8, 2006
At the end of October, the University and Hilb Rogal & Hobbs, the University’s insurance broker, mailed over 1,200 letters to students, faculty and staff who are authorized to drive University vehicles.
The letter was sent to alert them of a stolen laptop that contained sensitive information, including their driver’s license numbers.
However, no social security numbers were stolen, Kenneth G. Valosky, the University’s vice president for finance, said. No identity thefts have been reported as of now.
HRH does not believe that the laptops were stolen for the purpose of identity theft, since filing cabinets containing extensive insurance records were left untouched.
HRH representatives were contacted, but were unavailable for comment.
The 1,243 affected individuals included any student, faculty or staff member who was registered to drive a University vehicle as of May 2006, according to Ashlie Docktor-Feick, the University’s manager of risk management and insurance.
At some point over Labor Day weekend a break-in occurred, during which two laptops were taken from the insurance company’s office in Plymouth Meeting, Pa.
Since then, HRH had worked with law enforcement and information technology to recreate the exact content of the machines.
Law enforcement officials determined that an e-mail sent from the University, including a list of the registered drivers’ names, license numbers, birthdates, states of licensure and department affiliations, was present on one of the laptops.
The e-mail contained an annually-updated list of the authorized drivers that is provided for insurance purposes.
In early October, HRH notified the University of the theft.
Afterwards, letters were mailed to the affected faculty and staff and to students’ permanent addresses.
In addition, HRH notified three credit bureaus, Equifax, Experian and TransUnion and the proper state authorities when applicable.
Because of the theft, HRH made arrangements to offer affected individuals a free one-year membership to Equifax Credit Watch, including credit monitoring, identity fraud expense coverage up to $20,000 and free copies of the Equifax Credit Report.
After the incident, the University took precautionary measures. It chose not to distribute a press release earlier in order to avoid notifying the criminals of the laptop’s contents, Valosky said.
He does not suspect foul play by the company concerning the matter.
“If I did, they wouldn’t be our insurance brokers,” Valosky said. “HRH, along with all those people on that list, was also victim of a criminal act.”
While this incident will not affect the University’s relationship with HRH, the manner in which documentation is shared will change, Valosky said.
Valosky said he has instructed insurance management not to e-mail files concerning sensitive information. Instead, the information will be sent via CDs, and the University will ask that the discs be returned afterwards.
However, many students are concerned about the current situation, having heard about it from unaffiliated media outlets or rumors on campus.
Sam Slattery, a biology student, graduated last year and has returned for her Master’s degree.
Slattery remarked that she became alarmed after a discussion with some students.
“I found out on Sunday when I heard some students talking about it,” she said. “I heard students were getting letters to their permanent addresses, so I called my mom.”
Slattery was van-certified as an undergraduate but is unsure if her name was taken off the annually-updated list and then added back on later, since she is required to drive vans as a teaching assistant.
She had not received a letter when she recently talked to her mother.
She was still concerned at the lack of available information and the means of communication by which the University contacted affected students, since her parents do not open her mail.
“If I got a letter, I probably wouldn’t have gotten it until Thanksgiving,” she said.
The University, however, made a conscious decision to send letters to students’ permanent addresses, rather than their local ones.
“That’s a risk we run, that the student wouldn’t look at [the letter],” Valosky said. “We did not want to run the risk of the notification not being received at all.”
Sending a distribution e-mail to the affected individuals would be complicated, Valosky said, and the University did not want to send out a mass e-mail to everyone.
He said this was done in order to avoid a panic, since only about 10 percent of the 12,000 University individuals were affected by the incident.
HRH worked with its attorneys to make sure all legal requirements were met in notifying clients, including the University.
The University decided to attach its own letter to the information HRH provided to affected individuals and mail the combined notes in Villanova envelopes, according to Valosky.
“Many people would not have known who HRH is,” he said, afraid that people would think the notification letter was junk mail. “I think we responded in a responsible manner to make sure all the affected people received the information from the University.”
University departments are required to provide driver’s license information for any individual who could be driving University vehicles in order to be covered by the University’s insurance policy, including students who are van-certified and faculty or staff members who may rent vehicles for business trips.
The University has been partnered with HRH for two years and has worked with the same core people as it had when in contract with its former insurance broker, Marsh Inc.
Unrelated to the laptop incident, a University-wide security review is currently taking place in all departments to evaluate not only the manner in which sensitive information is shares, but also the physical security of the files.
“We recognize that the issue of identity theft is serious,” Valosky said.
Valosky encouraged concerned individuals to contact Docktor-Feick to determine if they were included on the e-mail list.
A copy of the letters from the University and HRH, a question-and-answer information sheet and contact information for both Valosky and Docktor-Feick can be found by linking to the article under “Villanova News” on the University’s internal Web page.