Drive Containing AICPA Member Info Goes Missing

A missing hard drive has led the American Institute of CPAs to issue a warning to all of its approximately 330,000 members, warning them that their names, addresses and Social Security numbers were among the data on the drive.

In a May 8 letter from senior vice president of finance and administration Anthony Pugliese , the institute said that it never received a package containing a restored computer hard drive holding the member information, despite "exhaustive investigations" within the AICPA and FedEx Express.

"The hard drive was damaged and had been sent out for repair by an employee in direct violation of the institute's internal control policies and procedures," Pugliese said in the letter. "We deeply regret this incident."

No credit card information was contained on the drive and the AICPA said that it has yet to hear about any of the information on the drive having been inappropriately accessed. Pugliese's letter stated that the AICPA believes it is simply a case of a lost package, and a spokeman for the institute noted that statistics have shown that less than one-tenth of 1 percent of such cases ever result in misuse of such information -- including cases of intentional hacking. In cases of lost tapes or disks, such as this particular incident, actual misuse is even lower.

Nonetheless, the AICPA is taking a number of steps to safeguard members.

The AICPA will provide a free year of credit monitoring to members through ConsumerInfo.com, an Experian company, beginning May 23, and has contacted the major credit bureaus to advise them of the incident. The institute has also launched a dedicated section of its Web site, www.aicpa.org/privacyinfo, to act as a clearinghouse for information about the incident. The AICPA stressed that it would not be contacting members directly and any calls to them requesting clarification about personal information should immediately be reported.

As an additional step towards protecting its members in the future, the institute has already begun deleting members' Social Security numbers from an internal database. The collection of the numbers had always been standard procedure for the organization, but will now only be done on a limited basis.Members wishing to contact the AICPA with further questions, or concerns about the incident, can call a dedicated Privacy Information Center at (800) 826-3881, or email the institute at securityinfo@aicpa.org.