Looks like an association just got hit by losing a hard drive containing sensitive member data:
A restored AICPA computer hard drive containing some member information (names, addresses, and Social Security numbers) was being transported to the Institute and cannot presently be located. The hard drive was damaged and had been sent out for repair by an employee in direct violation of the Institute’s internal control policies and procedures.
Despite the exhaustive investigations both within the Institute and FedEx Express, the hard drive has not yet been located. There is no evidence that the drive or its contents have been inappropriately accessed. Based on our investigation to date, we believe this is a case of a misplaced package. Nevertheless, we are pursuing a number of actions to protect our members.
Letters have been sent to some former and current AICPA members informing them of this incident and offering free credit monitoring services.
As noted above in the quote, the problem wasn’t a lack of policies. It was a lack of understanding of them by staff. All association leaders need to discuss with their staff the trust their members give to them to protect their information. Once your members feel that you have violated that trust, you may never get it back.
This also raises a question about storing SSNs. Do you really need them? If not, or you can develop a less sensitive alternative, purge them. It’s not worth the risk.