Schumer Calls for FTC Investigation of Iron Mountain Security Breach of LIRR Records

SCHUMER CALLS FOR FTC INVESTIGATION OF IRON MOUNTAIN SECURITY BREACH OF LIRR RECORDS

Data Storage Company that Lost Information of 17,000 LIRR Employees has History of "Losing" Data

Schumer Demands FTC Investigate Iron Mountain's Security and Privacy Policies and all Other Iron Mountain Security Breaches

In light of the recent security breach by Iron Mountain Inc, the data holding company that lost the personal information of 17,000 current and former Long Island Railroad employees, today U.S. Senator Charles E. Schumer called on the Federal Trade Commission to launch an investigation into Iron Mountain's security and privacy policies. Schumer also asked that the FTC look into other recent security breaches by Iron Mountain including lost data of Time Warner employees and customers of Los Angeles based City National Bank. Schumer sent letters today to both the head of the FTC and the CEO of Iron Mountain.

Schumer's letter said that he was deeply troubled by a pattern of large-scale security breaches by Iron Mountain, Inc., a Boston-based company that stores data for 70 percent of all Fortune 500 companies. Many of Iron Mountain's clients are based in New York which has one of the highest rates of identity theft in the United States.

"Employees should not be put at risk by a company that is not securing their personal data. The feds need to make certain that Iron Mountain is doing the job they were hired to do, not making it easier for thieves to do their job," Schumer said.

Schumer asked the FTC to investigate the most recent incident, which occurred on April 6, when Iron Mountain lost the personal information of about 17,000 current and former employees of the Long Island Rail Road (LIRR), including their names, addresses, social security numbers, and salaries. Although the sensitive data was lost on April 6, LIRR employees were not notified of the breach until April 24.

Similarly, in March of last year, Iron Mountain lost 40 computer tapes containing sensitive data, including the names and social security numbers, of about 600,000 people, including 85,000 current Time Warner employees and their dependents. Although the tapes were lost on March 22, 2005, information about the breach did not become public until about a month later. Even more troubling, Iron Mountain lost other tapes containing personal data on three occasions before the Time Warner incident, and one month later, Iron Mountain lost tapes belonging to City National Bank. The personal information lost in each of these incidents has never been recovered.

In his letter Schumer wrote, "The frequency and scale of these breaches is unacceptable, particularly at a time when public concern about privacy and identity theft is at an all-time high. Iron Mountain's handling of these incidents should also be reviewed. In particular, I would like the FTC to investigate and report back on Iron Mountain's privacy and security policies, including its practice of training employees and contractors, its policies regarding data encryption, the extent of background checks conducted for employees and contractors entrusted with sensitive data, the time frame and method of notifying people affected, and the scope of identity theft prevention assistance it provides people affected. Finally, I would like the FTC to investigate and identify all other security breaches involving Iron Mountain in the last 18 months, including the scope of the breaches and the companies and people affected."

http://schumer.senate.gov/SchumerWebsite/pressroom/press_releases/2006/PR145.Iron%20Mountain%20LIRR.050106.html