CHARLOTTE, NC — Taxpayers could end up paying to clean up Charlotte-Mecklenburg Schools’ data breach.
The district says it emailed 7,600 job applicants, informing them someone mistakenly sent their personal info to an outside contractor.
Bottom line, Better Business Bureau President and CEO Tom Bartholomy says CMS, and any business, should not ask for social security numbers until the end of the hiring process.
“They’re exposing themselves to a liability they don’t want to be exposing themselves to,” said Bartholomy.
The 7,600 applicants’ identities are now at risk, he says, and thousands of dollars in fines are possible, depending on the size of the breach.
CMS gave WCCB Charlotte the letter the district sent to victims Friday. In it, the district explains, “…a CMS employee disclosed your employment application information, which included your name, address, and social security number, to an outside contractor prior to obtaining appropriate authorization.”
Because of identity theft risks, the BBB says a company asking for your social security number could be illegal.
They must answer to you and to the Federal Trade Commission: why they need it, what they are going to do with it and how they are going to destroy it.
The only reason Bartholomy says a company would need your social security number is if you were applying for a finance position that requires a credit check.
I asked CMS what jobs the applicants were applying for. The district did not respond Tuesday.
“I think they’d probably have a difficult time proving to the federal government that they were going to do a credit check on every one of those applicants,” said Bartholomy.
CMS did tell applicants, “…the contractor has agreed to destroy all data…”
Still, the BBB President says hacker risks would leave him complaining to the FTC.
“How did they transfer that info to that vendor?” asked Bartholomy. “If they emailed it, God bless them.”
CMS didn’t say and wouldn’t give the name of the vendor.
If agents investigate, taxpayers will foot the bill. If they fine CMS, that would again go to the taxpayers.
CMS did give applicants companies to check their credit with in order to keep on top of fraud.
CMS sent WCCB Charlotte this statement: “While performing legitimate work duties, a CMS employee entered into a work agreement with a vendor prior to obtaining proper authorization. The action resulted in the unauthorized release of confidential data. CMS takes the unauthorized release of information seriously and promptly informed all affected applicants as required by law. CMS has worked collaboratively with the vendor to ensure the sensitive information was destroyed and has taken measures to prevent any additional release of information.”
