HARTFORD, Conn. (Legal Newsline) - Connecticut Attorney General George Jepsen requested additional information on Friday from Central Connecticut State University and the state Department of Labor about security breaches.
Jepsen sent separate letters to Central Connecticut State University President Jack Miller and state Department of Labor Commissioner Glenn Marshall. In the letters, Jepsen requested that the officials provide explanations about how any unauthorized disclosure had happened and what steps were taken to remedy the issue.
On Thursday, the university released a notice that a Z-bot virus in an office computer exposed the Social Security numbers of more than 18,000 individuals connected with the university for eight days in December. The infected computer was then taken off line.
"In order to evaluate the sufficiency of protections in place within CCSU to guard against these kinds of security breaches, I ask that you provide my office information regarding CCSU's policies and procedures for protecting electronically stored information, including CCSU's anti-virus software scan and update protocol," Jepsen said.
"I also request that you provide information regarding CCSU's employee training program relative to computer usage and reporting of suspicious links, e-mails or attachments."
Jepsen said that he had knowledge of both agencies' decisions to provide two years of credit monitoring to individuals who were affected and said that reimbursement should also be provided for the individuals to place and lift one security freeze for each credit file.
"I am pleased that both agencies appear to have responded to these breaches with appropriate concern," Jepsen said. "As state agencies, we must set an example for the private sector and take whatever steps are necessary to improve procedures for handling and protecting personal information entrusted to our care."
In the alleged breach at the Department of Labor, the salary, wage information and Social Security numbers of more than 500 employees connected to an appeal before the Employee Security Appeals Board were exposed. The information was sent along with a hearing notice about the appeal to at least two individuals.
"I am concerned about the procedures in place within the department to indentify documents containing sensitive information and to make certain that such information is redacted before any disclosure of each document is made," Jepsen said. "I therefore request information regarding the department's policies and procedures for protecting sensitive information from being disclosed in this context."
Jepsen requested that the two agencies respond to his inquiry by the end of the month.