The Virginia Department of Agriculture and Consumer Service (VDACS) might have exposed the Social Security numbers of fundraising counsel and professional solicitors to the public via its searchable online database.
And, if a charity official used a Social Security number instead of a Federal Employer Identification Number (FEIN) when filing that, too, might have been exposed to the public.
VDACS has issued a letter alerting of the potential exposure to those who used a Social Security number as the FEIN when they registered as part of the Virginia Solicitation of Contributions law. VDACS is offering to reimburse up to $100 for enrollment in a credit monitoring service to those who provided their Social Security number as the FEIN.
“VDACS took immediate steps to remove this personal information and to ensure that it was no longer accessible. While we have no indication that this personal information has been or will be misused, it is important that you are informed of this accidental disclosure,” Jennifer S. Cavedo, director, administrative and financial services for VDACS, wrote in the April 1 letter. She also apologized for the error, concluding: “Security of personal information is a very serious matter and we have taken immediate steps to prevent a reoccurrence.”
More than 11,000 organizations, fundraising counsel and fundraisers registered with the state within the past 12 months and VDACS sent almost 2,000 letters to organizations and fundraisers alerting them of the possible exposure, according to Elaine Lidholm, director of the VDACS Office of Communications.
Authorities discovered that Social Security numbers could be found via the searchable public database on June 10, 2015 and immediately disabled the site until all federal identification numbers were removed, Lidholm said. There has not been any indication that personal data was used but out of an abundance of caution, the state scrubbed the data – a time-consuming process – and determined which organizations might have used a Social Security number instead of a FEIN, she said.
Ultimately, some numbers could not be determined by type and accurate contact information was missing from other applications or no longer valid. “We had to take the time to track down proper contact information for notification,” she said.
“We were advised to explore offering some kind of credit monitoring services for people whose information could have been compromised but we had to follow state procurement rules,” Lidholm said. “Our application was at a monitoring service agency for three months, with negotiations back and forth. Ultimately, no monitoring agency approached would accept the terms and conditions required” by state law, she said, so instead, the state was advised to offer reimbursement as an alternative.