A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards.
The car was recovered, but not the laptop, said Robert Ballinger, deputy director of communications for the department.
Ballinger said all 10,000 people identified in the database have been notified via mail. The computer included names, addresses and phone numbers of members of the boards of well drillers, environmental sanitarians, waterworks and septic inspectors.
The computer and the file were protected with separate passwords, Ballinger said.
"We feel confident that the data on the laptop was unattainable to the person who stole it," he said.
Identity-theft experts said the state made several mistakes in this case, which follows other local data-storage lapses, notably a Department of Natural Resources breach that jeopardized information about 1,433 current and retired agency employees and the loss of computer tapes containing personal records for 135,000 Johns Hopkins employees and patients.
Computers holding sensitive information should never be left in cars, even in locked trunks, which happened in the most recent case, said Linda Foley, founder of the Identity Theft Rescue Center in San Diego.
"Our motto is "Out of sight means out of control," she said.
Data should be encrypted, Foley said, not just protected by passwords. A hard drive can be transferred to an unprotected machine, where it could be accessed without a password.
"There are a lot of programs that can get past passwords," Foley said.
Ballinger said three credit bureaus were notified of the breach and that the department is urging people affected to contact them directly to request a fraud alert for their accounts.
Foley said state officials, rather than notifying the credit bureaus, should have advised those potentially affected by the lost laptop to contact the bureaus, which, she said, often peddle unnecessary products.
"What they should have done is said to these people, `Contact the three credit report agencies, place a fraud alert on there and renew it again after 90 days,'" she said. "Most people do not know and are not told."
Christine Hansen, a deputy press secretary for Gov. Martin O'Malley, said the governor thinks the department took "the appropriate action."
