In August 2009, a computer at a PERS employer’s office was infected by a Trojan computer virus. This computer was used by an employee to access EDX and report payroll information.
This virus captured information appearing on the employee’s computer screen and sent it to a hacker in Europe. Information that was captured included the employee’s user ID and password in addition to personal information including the Social Security number (SSN) of two employees.
When PERS was notified, we immediately disabled the EDX account to prevent unauthorized access. The employer notified the employees whose SSN’s were compromised and is offering them free credit monitoring for a year. Although it was unfortunate that personal information was compromised for two employees, this could have turned into a much bigger breach, which could have been much more costly for the employer.
We wanted to share this real life example to remind all of our employers of the need to be vigilant about information security, especially considering all the confidential and personal information we handle on a daily basis.
All employers should be aware of their responsibilities under Oregon Revised Statute 646A.600, known as the Oregon Consumer Identity Theft Protection Act. This law requires the development of safeguards for personal information, which includes having a security program and ensuring employees are trained on information security-related policies and procedures. The security program should include implementing technical and physical safeguards to detect, prevent, and respond to attacks or intrusions.
There are many safeguards to consider. Some examples include:
- Using strong passwords,
- Ensuring anti-virus software is updated, and
- Updating software with all the latest security patches.
If a security breach is detected, the Oregon Consumer Identity Theft Protection Act requires the entity to notify effected parties that their personal information may have been compromised.
Please direct all comments on this subject to: firstname.lastname@example.org