Alaska House Dems Want More Info On Pricewaterhouse Data Breach
All of the House Democrats* have written a letter questioning the Department of Law on the State's handling of the PricewaterhouseCoopers breach of the TRS** and PERS** data bases. They wrote (in part):
A not-so-subtle point in all this is the difference between 'agreed to' and 'are required by law to'. One paints the company as volunteering to do all these things out of the goodness of their corporate hearts (since corporations are constitutionally people, I guess they have hearts too right?). The other shows the company doing what they are required by law (and... no more? no less?)
According to Dermot Cole's Fairbanks NewsMiner piece, the most complete media coverage I can find on the breach,
This has too much jargon for me to jump to any conclusions on a Sunday afternoon when I can't get an attorney to help me interpret this. But assuming that PricewaterhouseCoopers is indeed an 'information recipient,' I would be concerned about their interpretation of 'immediately' given they are reported to have discovered the breach in 'early December' 2009 and notified the State of Alaska in late January 2010.
Were they spending all that time trying to decide how much they wanted to cooperate?
Another wrinkle in all this is the fact that PricewaterhouseCoopers had the data because they were analyzing it as part of the state’s lawsuit against Mercer. From the New York Times:
Given that the PricewaterhouseCoopers is working with the State in the lawsuit, perhaps the State worded the document because
* There are a couple more (rural) Democrats who have joined the Republican majority, presumably because they feel they can secure more resources for their constituents that way.
**Teachers Retirement System and Personnel Retirement System
Under AS 45.48 the Personal Information Protection Act, PricewaterhouseCoopers is required to immediately notify every person who may be affected by the security breach by a written document mailed to the most current address or by electronic means. We have the following questions:
- Is PricewaterhouseCoopers fully complying with the law?
- Has the state waived any requirements under AS 45.48 for PricewaterhouseCoopers?
- What does PricewaterhouseCoopers need to do to comply in full with AS 45.48?
- When did PricewaterhouseCoopers lose the data and when did it know of the loss?
- When and how did the state learn about the lost data?
- What are the details of this settlement? Will the settlement document be made public?
A not-so-subtle point in all this is the difference between 'agreed to' and 'are required by law to'. One paints the company as volunteering to do all these things out of the goodness of their corporate hearts (since corporations are constitutionally people, I guess they have hearts too right?). The other shows the company doing what they are required by law (and... no more? no less?)
According to Dermot Cole's Fairbanks NewsMiner piece, the most complete media coverage I can find on the breach,
" In early December, PricewaterhouseCoopers discovered that the information was missing."I looked up AS 45.48 and searched for the word 'immediately.' It only showed up once:
Sec. 45.48.070. Treatment of certain breaches.(a) If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 - 45.48.030. However, immediately after the information recipient discovers the breach, the information recipient shall notify the information distributor who owns the personal information or who licensed the use of the personal information to the information recipient about the breach and cooperate with the information distributor as necessary to allow the information distributor to comply with (b) of this section. In this subsection, "cooperate" means sharing with the information distributor information relevant to the breach, except for confidential business information or trade secrets. (emphasis added)
This has too much jargon for me to jump to any conclusions on a Sunday afternoon when I can't get an attorney to help me interpret this. But assuming that PricewaterhouseCoopers is indeed an 'information recipient,' I would be concerned about their interpretation of 'immediately' given they are reported to have discovered the breach in 'early December' 2009 and notified the State of Alaska in late January 2010.
Were they spending all that time trying to decide how much they wanted to cooperate?
Another wrinkle in all this is the fact that PricewaterhouseCoopers had the data because they were analyzing it as part of the state’s lawsuit against Mercer. From the New York Times:
The lawsuit says that Mercer’s mistakes hindered the ability of Alaska’s retirement system to meet its obligations to former public employees. . .
That Mercer erred in its calculations is bad enough — getting such details right, after all, is what the firm advertises as its stock in trade.
But an even bigger grenade dropped earlier this year when the Alaska board, citing depositions of Mercer employees, contended that company executives had known about the actuaries’ errors and covered them up.
If Alaska prevails in court, it could entitle the retirement system to punitive as well as treble damages.
Mercer, with 4,000 employees in 150 offices around the world, concedes that the Alaska case is a threat. In its usual corporate filings, a brief discussion of the case heads a list of risks facing Marsh. It also notes that it has “limited” insurance to cover the costs of an adverse outcome.
Given that the PricewaterhouseCoopers is working with the State in the lawsuit, perhaps the State worded the document because
- they have developed a close relationship with their consultants and felt that PW was well intentioned and/or
- they want to make sure that they continue to be a good partner as the case progresses through the court system.
* There are a couple more (rural) Democrats who have joined the Republican majority, presumably because they feel they can secure more resources for their constituents that way.
**Teachers Retirement System and Personnel Retirement System