Retirement Plan's Error Discloses Personal Data _____Special Report_____

By Ariana Eunjung Cha Washington Post Staff Writer Wednesday, January 24, 2001; Page E01

The envelope that was supposed to contain his quarterly 401(k) statement had his name and the words "personal and confidential" stamped on it. But when Duncan Phenix tore it open Monday night, he found his boss's information instead.

Social Security number. Birth date. Fund balances.

Or, as Phenix put it, "everything a criminal would need to steal your identity."

Phenix, a producer with WMC-TV in Memphis, along with an undetermined number of his 2,800 colleagues at Raycom Media Inc., received statements this week that were mixed up as a result of a printing error at a processing center operated by American Express Co., the 401(k) plan's administrator.

Some of Phenix's co-workers got documents with their own information printed on one side and a stranger's on the other. Others received statements contain information on two other people. Several people said the misdirected data they received was that of an employee with a name that fell immediately before or after theirs alphabetically.

American Express spokeswoman Jean Miller called the problem an "isolated issue." While she declined to say how many customers were affected, she said they comprise about 0.5 percent of all accounts managed by the financial services giant. She said workers at another company -- which she declined to name -- also received "erroneous information" in their most recent mailings.

The debate about loss of privacy in the information age usually focuses on the dangers posed by hackers and the misuse of data collected on the Internet. But the mismatched 401(k) statements, along with other recent technological problems that exposed personal information, illustrate that honest mistakes continue to play a role.

"There's the saying: 'To err is human, but to really foul things up takes a computer.' Computers amplify simple mistakes," said Richard Smith of the Privacy Foundation, a national research and education group.

"More and more, the cause of privacy breaches isn't malicious intent but a programming mistake," said Andrew Shen, a policy analyst with the Electronic Privacy Information Center.

American Express is sending notification letters and new statements to clients who may have been affected, Miller said. The company will individually check the new mailings for accuracy. "Privacy is a number one priority at American Express. . . . We really apologize to the clients affected," she said.

In e-mail sent late Monday and yesterday morning, Raycom executives urged employees who receive other people's information to destroy the papers or turn them in to their benefits administrators. Officials at Raycom, which owns 36 television stations in 19 states and Puerto Rico, did not return telephone messages yesterday.

In another breach of privacy, Northwest Airlines warned some consumers who used its Web site last year that their credit-card numbers and other information were unprotected for a time because of a coding error. In one of the costliest such errors, credit bureau Experian Inc. was forced to shut down its online service in 1997 after several people were able to see financial information about somebody else due to faulty software.

Smith said he felt the American Express breach was especially sensitive because it involved people who might know each other.

"It's one thing when you see strangers' information, but within a company, that sort of release could let people know more than you might want them to know about others' salaries and benefits," he said.

But at the WMC-TV offices yesterday, where employees worried that someone could be opening credit-card accounts in their names, the fact that the leak may have been contained to their own company was good news.

Phenix, 27, says he tried not to look at the information in his letter and handed it over to his supervisor yesterday morning. "She just sort of laughed, but I could tell she was glad to get it back," he said.

Clifton Raphael, the station's newscast director and a Raycom employee for 18 years, received information on a former colleague who had gone to work at the company's Shreveport, La., station. He called his old co-worker yesterday afternoon to tell him he would keep the information safe.

Raphael said he hopes someone will do the same for him.

American Express's Miller said the company is committed to working with clients to investigate any problems that arise. Tena Friery, research director of the Privacy Rights Clearinghouse, a national advocacy group, said the company could do better. She suggested that American Express offer to hire an outside company to monitor a sampling of customers' reports for a number of years.

http://washingtonpost.com/wp-dyn/articles/A36460-2001Jan23.html

-- Carl Jenkins (somewherepress@aol.com), January 24, 2001