October 31, 2013
Current and past County employees:
During an investigation of identity theft reported to the Baltimore County Police Department, investigators discovered data on a home computer belonging to the suspect that included personal information (defined below) of Baltimore County Government employees. The investigators did not find financial information or tax payer personal information on the computer. At this time, there is no evidence that any employees’ information was misused in any way. We are providing notice of this incident to every past and present County employee whose data was found on the suspect’s computer.
We believe that the suspect gained access to this information sometime between December, 2011 and July 13, 2012, when he was working for an independent contractor hired by the County to deploy employee computers. While working in County offices, the suspect only had access to employee hard drives (c: drive). He did not have access to other areas of the network. The County has strict thresholds for background checks of its contractors and their employees. The County received a procurement affidavit from the contractor, which included an affirmation, under penalty of perjury, that none of its employees had been convicted of, among other matters, fraud or theft.
We believe that the suspect gained access to the personal information when he was deploying a new computer to a County employee who had downloaded the information from the County’s secure network to the employee’s hard drive (c: drive) on the employee’s computer. This downloaded file was needed by the County employee, working in a secure location, to perform work assigned to the employee. This download was not in violation of the County’s security policy at the time.
The investigators discovered the personal information of County employees and retirees while investigating the suspect for an identity theft crime unrelated to County government. The suspect was recently arrested as a result of a cooperative effort with local, state and federal law enforcement.
The County is now amending its policies with respect to personal information. Since 2010, employees have not been allowed to download any personal information from any County network application onto any remote devices such as flash drives, CDs and DVDs. They were also not allowed to email such information in any way. Employees were allowed to download such information to the hard drives (c: drive) of their County desktops. Effective immediately, employees are not allowed to download such personal information to their County desktop hard drives (c: drive). The Office of Information Technology has begun to, and will routinely, scan all Baltimore County Government PCs to ensure that there is no personal information being stored on County desktops.
The County will continue to reinforce this policy through mandatory annual security awareness training. A copy of the County’s “Protection of Personal Information Policy” is attached. Every County employee must comply with this policy. All of the County’s security policies may be accessed by the attached link: http://bcnet.co.ba.md.us/agencies/infotech/security/policy/index.html.
The personal information found on the suspect’s seized computer includes only the employee’s name in combination with the employee’s social security number.
Other data found on the suspect’s computer, which is not considered personal information under State information technology law but is not typically considered a public record, includes:
the employee home’s address
- the employee’s leave balances
- the employee’s county identification number
Other data found on the suspect’s computer, which typically is considered a public record, includes:
- the employee’s salary rate and salary
- the employee’s agency in county government
- the employee’s adjusted start date and start date
- the employee’s job classification
- the employee’s title, race and gender
The data found on the suspect’s computer did not include employee financial or other bank account information, or credit or debit card numbers.
Although the investigators have no present indication that this data was fraudulently used, if you have concerns about your credit, you may contact the credit reporting agencies and have them place a fraud alert on your records. A copy of the police report (CC#13-303-0518) is linked, should you desire to send it, along with a copy of this letter, to the credit reporting agencies. Contact information for the credit reporting agencies is as follows:
P.O. Box 6790
Fullerton, CA 92834
If you are interested in learning more about protecting yourself from identity theft, you should refer to the attached links:
Maryland Attorney General: http://www.oag.state.md.us/idtheft/
Federal Trade Commission: http://www.consumer.ftc.gov/features/feature-0014-identity-theft
United States Department of Justice: http://www.justice.gov/criminal/fraud/websites/idtheft.html
Should you have any questions please email them to the County at: firstname.lastname@example.org.