 What we're going to do this morning, as I said, signing off, we're going to, as much as we were coming very close to the finish line on S-10, this intervening development is more urgent. We have a technical deadline of March 31st to get the governor to sign S-10, but I think we have a realistic deadline of much sooner to get actions and motion on the 10-90 issue. Yesterday, because of the newness commissioner of the issue, I think at least I was more focused on how we were going to correct the problem in terms of getting the right 10-99s out and avoiding confusion with the claimants who got these things, but it quickly, by the end of the morning, it quickly became more apparent that one of the more urgent things that needed to be addressed is how we prevent or cure to the fullest as possible identity theft. So with that said, I've invited members from the attorney general's office, they have dealt with identity theft issues, we've dealt with identity theft bills in this committee at the time of Equifax and other big breaches, so there are experts in the state on identity theft, so they're going to give us some of the details, but I wanted to give you a first opportunity commissioner to tell us what you're thinking, what you're doing, who you've been in contact, and what kind of resources you might be looking at, but we want to be all over this because it's no fun having your identity stolen. Absolutely agreed. I want to distinguish at least the difference between identity theft and a compromised identity, and that is only just so we are speaking in clear terms. So right now what we have is a situation where individual Vermonters have had their identity, or I should say their personal identifiable information or PII compromised. We do not, at this time, know of any distinct cases where someone's identity was stolen or used improperly. That being said, it doesn't remove the significance of the situation we're in, so just to recap, we had a number of 1099s that went out the door late last week and found out on Monday that there had been a processing issue in the transfer of the data from the mainframe system and our other systems for managing the benefit programs to when the 1099s were printed and then eventually mailed. We're working to identify where that failure occurred in the process, but essentially what ended up happening is a series of social security numbers and in some cases corresponding names ended up being mailed to someone other than the person whose name or social security number was on the document. We are narrowing that population as we speak. Can I have a clarifying question? Yes ma'am. It might just be syntax, but I think I just heard you say their name or social security number. Do you have reason to believe that in all the documents it would have been the same person's name and social security number? So we have cases where the name and the social are not corresponding and do not match and we have names and social situations where the name and the social do match. So we have both. Again, it looks like it was likely a human error or manual error in the way the file was eventually sorted maybe for printing or mailing purposes. I don't know right now, but it looks like the way the file was sorted caused the information to be shuffled within the file which then got printed and mailed. So we've got a number of different actions going on and I see Senator Brock has his hand up. Senator Brock. Just a quick question. When you say the information may have been sorted improperly during a transfer, was this something in which data was transferred from the mainframe to an Excel spreadsheet and then processed from? Well, so it depends on the program. The VSTS program and the LWA program were managed outside of the mainframe. So some of those records come from a spreadsheet that was already being kept for purposes of managing those programs. We did have to validate and cross-check that against mainframe data and then we also had to validate and cross-check that against our financial records for how many benefits were paid to each individual. So it's likely and I don't want to speak in concrete because I just don't know the answer yet, but it's likely it was some type of Excel spreadsheet that was then used for printing processes that then got shuffled. So Commissioner, just trying to get an idea of the scope here because yesterday we've been number 55,000 several times and I reviewed the transcript and at the end you're saying the real people who are in danger of having their information misused by another person are lower. Maybe I misunderstood that, but are we dealing with in terms of, I mean we don't know what the cure is yet, but to deal with the really people who are threatened with having their Social Security name given to a third party's, a third citizen's hands, what is that number? So we and thank you for the opportunity to clarify because I also think it hasn't necessarily been clear in the media as well. So in total and this includes the PUA program, the LWA program, the VSTS program, and the $1,200 prepay program. In total of those four programs that were mailed that represents about 75 to 80,000 1099 documents, not people but documents. So we are working to identify of that total population how many unique individuals does that represent. To date the only errors that have been reported to us are on two of those four mailings and that is the LWA mailing and the Vermont short-term supplemental benefit mailing. So between those two mailings that actually takes the 80,000 1099 and drops it down. And we do know that in those two mailings that the total impacted population is roughly 44,800. What we don't know yet is that there was a whole number of those files that never made it to the mail. So they were stopped in the post office and returned to the department having never been delivered. And so what I don't know right now is of the 44,800, whether or not we can even chop that number down even more and potentially get it closer to the actual impact of population. And so what we're working to do is get a handle on whether or not there are people in that file that never made it out the door. Are those 44,800,000 people or documents? The 44,800 are people. Okay. And I think just from I would just say from a security and being overly sensitive and cautious in this scenario, I mean we are likely looking at the 44,800 as the total potential impacted population and that's the population we will be working with going forward. And then I think we will also be looking to see whether or not there are opportunities based on the mail that was returned where we can actually remove people from that 44,800. So my final question on the numbers here, let's assume the 44,000 gets cut in half to 22,000 because half of them didn't get mailed and get sent back to you from the post office. Of that 22,000, how many or is there any guesstimate how many of them have problematic errors in them that would cause people to be concerned with the potential for identity theft? That's what I thought you were saying. Yes. Yes. So I would treat that right now based on what we absolutely know. We are treating the 44,800 as the total population where they would have had their data released. Let's put it that way. I think we are now working to say how do we remove people from that and give some reassurance to folks that maybe their data still resides in our office downstairs. And that's, but I think from a security perspective, we are working at the 44,800 as our starting point of impacted population. I'm not, maybe I'm not being clear. I understand that taking a conservative approach, which we need to do here, that we want to help those 44,000 people. If I guess the simplest way I can ask this question, how many of those 44,000 mailings, whatever, had the correct information in them? Or did every single one of them have wrong information in them, sent to the wrong person? Yes. So I, to what you were saying before. So what I do know is that so of the two populations, the LWA population right now, based on the preliminary numbers we've pulled, there were 39,126 LWA 1099s that were mailed. The number of 1099s in that batch that exposed someone's identity was less than 20 in total. However, of the Vermont short term supplemental benefit, that total number of pieces was, so I'm going to say there were 34,043 that were printed. And roughly, you know, 18-ish thousand that actually went out the door. And so of the 18,000 that went out the door, almost all of those had corrupted information in them. So I think you're right in your assessment, Mr. Chair, that the actual population of people that are likely impacted is somewhere around 18 to 20,000. Maybe as many as 25,000. And I think we'll be able to narrow that as we see what exactly exists as we're going through the mail. I think what we're also trying to be mindful of is the immediate need is getting clear information to claimants, getting those that want protection, protection. And I don't want to, I don't want to lose time by having people conducting counting downstairs before we mail anything out. So I think we are going to treat the 44,800 as our starting point of letting them know that they are potentially impacted from a security perspective, letting them know that the department will provide coverage to them, and letting them know that we will notify them at a later date if we find that they were not involved in the impacted population. But I think we'll take a time for working with the 44,000 right now. Senator Rom. I have a couple questions. I want to share some positive feedback first. I did hear from people from my, you know, kind of trying to give them information via form quickly, that those who got emails felt a lot better from receiving the email, gave them a lot of helpful information. I, so I'm wondering about people who don't have emails, if there is, you know, if the mailing is the only thing they're getting or they, there is a universe, you know, if that don't have emails where you could give them a call instead. And the second thing I'm wondering is there's a small but really deeply impacted population of people that may not speak English well for whom something about their identity and their identification numbers is very scary to not understand. So I'm just wondering if you can talk about any language access work you're doing. So most of the population has emails because they had to use an email address to file for benefits. There are cases where someone may have already had an open claim before our online application went live at the time of the pandemic. So there are, at times, when we look at the total population, people who don't have an email, I have made a note so we can look to see of the 44,800, how many emails do we have for those people on record. And that I'm hoping that can be a relatively quick process. And then we do have the ability to, to one, send out an automated phone message to those folks, although I think if we're talking about information sharing, you know, the letter that they receive hopefully in the next seven to 10 days will be certainly more valuable to them and provide them the information they need at their fingertips. And then from language access perspective, you know, I've also made a note so when we are, when we are mailing out that information, we're providing language access opportunities for them, just so you know, our call center does, we did enroll, you know, or sign up or subscribe. So there is the ability for any of our agents if they have someone who, where English is not their primary language or have trouble understanding, you know, we can, we can call an 800 number and loop in an interpreter. And we, I don't know how many times we've used that, but I do know we've used that in the past. So I just want to reiterate, Commissioner, what I was trying to say yesterday, and it's a language issue of another sort. I really encourage you to run by what you're mailing out or involve earlier on some advocacy groups who deal with populations, like claimants, maybe it's people from legal aid, to make sure it's communicated in language that recipients who speak English are going to understand and doesn't get wrapped up in bureaucratic things and covering your rear end and all the legal requirements of what you have to say. But I've seen that over and over again in my unfortunately very lengthy career where some of the advocacy groups look at letters that come out of the administration and they just cannot believe that that kind of letter has been sent by a governmental official. It almost thwarts the purpose of what you're trying to achieve because it gets people so confused. So try and, try and reach out to, you know, somebody, maybe call the director of Vermont Legal Aid and say you have somebody who'd be willing to help us on this. It could be just a review or they could be involved in the beginning stages, but I think it'll go a long I think it'll go a long way towards advancing what you're trying to do here. Anyhow, enough said. To your question, Mr. Chair, just so folks know, there are three major components in this response plan. One is recapturing the 1099s that went out. Just so you know, I mean, I even got an email today. There were, we got roughly 2000 pieces of mail today already of either ones that made it to various post offices but never made it to the recipient. And so the post office caught it and they're now sending it back to the department. Or we've had individuals who literally went out of their way to say this isn't me and returned it to the department already. So I, you know, that's good news that hopefully that will continue over the coming days as we still send out information to folks. And then the second and but I say second but it's happening simultaneously is that the piece around the exposure of identities. So we are working on drafting that we have been in touch regularly over the past two or three days with the Attorney General's office, including this morning on a call with our general counsel who is here Anderson and myself. So we are working closely with them to make sure we're complying and also focused on consumer protection processes and rights and responsibilities. And I know they're here today and appreciate their support that they've given us so far. And then the third is obviously the mailing of the new 1099 to individuals, which will likely happen, you know, later this month. I think we're trying to make sure that we people get clear messaging about returning the faulty 1099 before we start issuing them a new 1099. So there is no confusion about which one they need to return. We're also taking every opportunity to remind folks that we're only talking about 1099s that came from the Department of Labor that were received at the start of this week. And I say that because there are many other agencies and departments that will be issuing 1099s in the coming weeks. And so, you know, they should be focused only on the 1099s that came from the Department of Labor and that were received during the week of the first. And those are the ones that that are were needing return. Yeah. And on your communication, Michael, it's you've improved the website. So that when you go to the website now it says right away at the top 1099 improper mailing and data incident updates. So that's an improvement over yesterday. So good work on that. Yeah. And that came from obviously conversations and an email from Senator Sorokin. Nice work. Good teamwork. Yeah, we immediately turned around and made sure we we made that that needed an improvement. Yeah. Senator Brock. Mr. I know that the immediate focus is as it ought to be on remediating the problem and getting back to where we ought to be on a longer term basis. Do you plan a form of independent review to examine not just what happened in this case, but the whole processing environment in which it did happen? And so you tell us about that. Yeah. Sorry. And I didn't mean to interrupt there. So my apology. Yes, twofold. One is having an independent review or audit done of what occurred. So the incident itself. And so that is the plan. And I already know, you know, whether it's from the public or obviously from other legislature legislators, there's an interest there. So I would just let people know that that is already something we are planning to do. And and just so they know that that we are aware of that. And that is part of our expectation. It's part of my expectation that we review and identify exactly where the incident happened, the gap in the system so that we can also get corrective actions in place to prevent that in the future. But to your other point, we, the department, and I've made this my own personal position, need to double down or even triple down on our quality control and quality assurance efforts across the department, but obviously specifically in the unemployment insurance area. And so we will be looking at at other ways to to one, look at the system, but also what level of processes, procedures and expertise do we need to bring on board to make sure that we're we're ensuring quality going forward. And yes, I see a couple hands up. So I'll stop there. Clearly, one of the the issues that it appears to perhaps be partially at fault here is the transmission of data from a mainframe to a an Excel spreadsheet that's been manipulated. And that probably is one of the top if not the top causes of failures that that that folks see in audits, financial audits, for example, it's it's a real dangerous signal. Yeah, absolutely. You know, it's it's frustrating because our our time our team spent so much time validating the data from the mainframe to just have a human error and accident occur. You know, or someone asked me yesterday, you know, can the mainframe be to blame? And I don't think so necessarily in this case, but I do think the antiquated systems we have are right. So the fact that we're now shuffling data from multiple programs and processes and having to do much of it in a manual fashion instead of an automated fashion, just like you said, Senator, increase the opportunity for error to occur. Well, there's good news and bad news in that. And the bad news is that there are other departments in state government with antiquated systems who are doing exactly what you're doing. And so one of the lessons perhaps for all of us is it is there is a likelihood that something like this is going to happen again somewhere else in state government unless we get our act together. Yeah, the risk is there. And certainly, you know, we need to double down on that. I will say I'll put a plug out there or shout out, you know, we immediately had a call from our colleagues in Connecticut, right in the division. And they actually went through something very similar back in, I think, 2013. So they essentially gave us their playbook, if you will, for how they responded and then what they did to ensure going forward that it didn't happen again. So, you know, I will give a plug to our folks there, you know, appreciate their active reaching out to us and saying, how can we help? I have, I'm trying to sort of paraphrase some some questions I've received. One being, there are there are people asking about whether or not they should download something online. Are they able you have a service where people can get their 1099 g online instead of mailed to them? And is that not compromised? Is that a better place for them to look? And are they? Are you eventually going to have something where they can, you know, like when this has happened with Target or Best Buy? I know that's very different, but you've been able to type in your name and someone could say yes, it's likely that your information was compromised. Like people want to be able to verify that. And then that FAQ says here's who to call because you're worried about your identity. You know, here's our free service for you because because of that concern. Do you think it's going to, and plus when I ask that, I'm also wondering as budget adjustment goes through the legislature, if this requires some kind of emergency appropriation to really to really get this right and make sure people are safe because this is just the last thing people need right now. Yeah. So to that question, I may ask Cameron to answer the question about accessing their 1099 online. I don't know if we've actually put them online yet. And but if they are, I would say that the data that the data that they would be accessing online is not obviously the same file that got printed. And so the information in the systems was accurate, although I we're also talking about two programs that don't currently exist in our mainframe. So they are likely what they would be accessing if they went into our mainframe or through the Salesforce application or actually the unemployment insurance, the regular UI 1099, which actually hasn't been mailed yet, or the PUA 1099, which while we are asking everybody to return all 1099s, right now we have no reports that there were actually any issues with the PUA 1099s that got made. But instead of having to for someone to try to figure out which one is which, we're just going to have them return all of them and collect them. But Cameron, if you want to speak to that, then I can I can speak to the other part there. Just very quickly, Senator Rom, I will validate what the commissioner just said. You know, we do take the 1099s for the regular UI program and we make those accessible through our traditional claimant portal. We had not yet done that. So I believe if they go into their claimant portal at this point in time, they would actually be able to access their previous 1099 from a prior year if they had one. But there is no indication at this point that our traditional UI 1099s were incorrect. And as the commissioner mentioned, we haven't yet mailed those. And the same thing with the PUA. There's no indication at this point through our investigation that the PUA 1099s are incorrect. So I would say that you're saying online they can't get 20, 20, 1099s. For the regular UI, not yet. We have not uploaded those files into the claimant portal. But they shouldn't be concerned about pulling information from the web from our claimant portal or from the PUA portal. Because what they would be pulling would be 1099s that we in our investigation have not determined they are inaccurate limited to the inaccuracies. As the commissioners mentioned are the LWA and the Vermont short term supplemental program. And unfortunately, those we will not be putting online to be able to download at this point in time, you know, at least at a minimum until we're able to resolve these outstanding issues. But we didn't at the time have any indication of putting those online. So I just want to reassure people, your constituents that if they're grabbing information online, it would be accurate. But it would not be updated. And one person emailed me and said, you know, their understanding is that the sooner they file their taxes, the less exposure they have to the possibility of some kind of breach of identity or identity theft. I don't know if you think there's something to that getting their information to them sooner helps them file their taxes sooner and avoid some kind of issue that they might have. I don't think so. I would obviously kind of probably refer that question to maybe the AG's office or somebody in the state with better expertise. I'm not aware of any of anything filing sooner is going to somehow protect them in a situation like this. We do have to upload our 1099 files to the state tax department and to the IRS. One thing we've tried to assure individuals is we have not done that yet. The deadline for that is later than the date to mail 1099. So try to reassure individuals that we have not uploaded incorrect information to either the state tax department or the IRS. We will ensure that that information is accurate when it gets uploaded. Well, Commissioner, I'm going to ask you for a favor here. There's so much information being shared here so rapidly. I would like if you could maybe in a one or two page memo layout bullet points or whatever the action plan as of today, knowing it's subject to change and that you could periodically update it. But it's really hard to stay abreast of what's going on. I think we have a need and a right to know what's going on. So if you could prepare a memo to us of where you're going at this point unless concerned about all the history, but the history obviously will play in. And secondly, I want to move on because we're going to move on to the AG, but what is the action plan in terms of people's concern that their identity may be compromised? And what are we telling people today? And what could they look forward to in the future to help allay their fears and also provide protection against bad things happening going forward? Yeah, thank you, Senator. And I'm just pulling up. I believe it was was in our weekly update or update to the legislature, but I just want to pull it up. So as you know, folks received an email last night if they were in any of those four populations. And at the bottom, it did identify next steps and actions that they could take immediately to protect themselves against identity theft, whether it's the recommendation to obviously monitor their various accounts, credit cards, financial statements, and so on. But it also gave contact information for the three major credit bureaus to be able to add an alert or freeze to their credit report. It also provided them two federal locations online, one identity theft.gov, which comes out of the Federal Trade Commission for recording identity cases of identity theft, and then USA.gov, which actually provides a series of tips for protecting your identity. So that went out yesterday. Once we, now that we know this population of people who actually had their information exposed to some degree, we will now be ramping up our communication to them through email, letting them know next steps. But the actual physical actions from the department will be a mailing that goes out to the exposed population next week. And in that mailing, it will give them instructions. And my understanding is our general council will be working with the AG's office on appropriate language as well. But it will give them a lay of the land, if you will, for their exposure and what the department has an obligation to notify them of. And it will also give them next steps for how to enroll in protection services should they choose. And so we are working through the logistics of how to get them the opportunity to enroll at no expense to the consumer in this case. To Senator Rahm's question about appropriations, we have already had that started after that. Let me interrupt for a second. So just an example, I was unaware of this email. I haven't seen it. People like myself are talking to the press without all updated information. So this is another reason why it would be good to have a memo for the committee and an update of that as things go. So please include us as policy makers in these mailings that go out to recipients. It's really important that we have information in real time. I'm not. It sounds like you're doing a lot to get the information out. I have some discomfort. I don't know if it's shared by other committee members that this information is going out next week sometime in a letter, which may be received eight or 10 days from now. People are worried today. And I'm wondering if there's something preliminarily that can be done to get things out as widely as possible. Maybe your email of last night, which I haven't seen, does that. But maybe it should be a statement by the governor, a statement in the press. Some kind of thing where people say we have a lot of we are moving forward on a lot of fronts and this is containable. Stay tuned. I just feel that there's probably a lot of people out there that have gotten bits and pieces and are worried and government moves slow, but there perhaps are preliminary steps that can let the public know. I think it needs to be we've got members of this committee who are great with social media and getting out words and front porch forum and stuff like that, but that's not a coordinated fashion. The message could get garbled or mixed and maybe dated. I don't know. I'm going on and on. But I hope you get the sense of what I'm trying to say here. Absolutely. And I think there's a balance there between obviously wanting to get information out timely, but also making sure we're actually have something to tell folks. And so I think the email last night was the start of that. I don't want you to think that there will be no communication between the email last night and the letter that goes out next week. I think what we are trying to figure out is how to enroll these folks in protection. And we just don't have that solution just yet. So we're working through that process right now. But I would even say when the physical mailing goes out, there's absolutely no reason we can't email those folks at the same time to let them know the same information in a more timely fashion. So even if we mail it on Monday, we may email them on Monday, so they have it immediately. They may get the letter later in the week. But there's some logistical things we're trying to figure out in terms of actually what do we want to tell them to do? But we will actually be contacting them over the course of this week as well. I would also just point out just so you are aware, Mr. Chair, we did, I did have a conversation yesterday with the pro tem and the speaker and gave them a status update. We did agree that the department would be providing talking points to them to share with legislators so that they would be in the loop and be able to provide constituents with clear direction. We also did, like you said, talk about how do we enhance the messaging that is going on out there from what's being posted on the department's social media and how do we how do we just make sure legislators are in the loop and could even enhance the spread of of that accurate information. So we are having those conversations, so you are aware. Appreciate the heavy lift. Thanks for your time this morning. We're going to move on to the AG, but before we do, you mentioned in a certain context the idea of steps that people can take with credit credit agencies. Oh, Senator, I think we lost your your microphone. Can you hear me? Yeah, we can hear you. It just Becker came on briefly. You made reference to steps people might be taking with third party agencies and I assume those come with some fees or costs. Is it the department's position to reimburse people who use those services? I may defer to the AG, but in my experience I've been able to add alerts and fraud alerts and credit fees to my account personally, which I did many, many months ago as we saw fraud sweeping the nation. And it has not cost me anything. And I don't know if that's a long term no cost or simply an adjustment that was made during COVID. As you know, there were other adjustments made where people could get their credit reports more frequently during COVID without a cost. So again, I may turn to the AG to talk about that. I think at this point, the area where we're focused on in terms of covering the cost would actually be true credit protection and monitoring service through a third party vendor. But I do think the things we recommended yesterday were all at no cost to the consumer. A latter thing you were referring to, you're saying that you are willing to pay? We can. You're saying the administration's position is those are the third party services you are willing to pay for? We are. I think what my caveat there would be, you know, the department is working to find a vendor that it can enter into an agreement with. So what I don't want people to do because we don't have a mechanism for reimbursing individuals right now. So I don't want people to go out and sign up and then ask the department to then cover the cost because we don't have a way to reimburse right now. What we have traditionally done in the past and what is best practice of what I've heard other states do is that we enter into an agreement with a third party vendor. We then, you know, whether it's the vendor gives us a code to use and we give that code to the consumer. So when they enroll, they can use a code that then makes it free to them to enroll. So again, I don't want people going out individually. You know, we are also trying to control how they enroll, but also the cost associated with that. Although the cost is not the primary factor here, but certainly we want to be able to control the cost of this. We are also talking with risk management to see whether or not any of these costs would be covered under, you know, our self-insured plan. Are you Mr. Chair? Yes. Can you hear me? Yes, we can Becca. Okay, just a quick request of the commissioner, going back to what the chair said. If your shop could get to the speaker's office in my office sometime this morning, a copy of the email that went out to Vermonters yesterday, that would be a big help so that I can direct people to that when I speak to senators on the floor at once. Absolutely. Thank you. Yeah, we'll send it right now. This contracting with a third party, are you in the process of moving forward with that? Is there any reason to delay on that? No, we are moving forward. I think we're trying to find out whether or not the state already has a vendor that it uses. So my understanding is we've been, you know, reaching out to maybe other agencies or departments and even procurement to see whether or not we have a vendor we have used in the past. And like I said, there are many options out there. So identifying the one that can meet our needs and moving forward. So that's already underway. Thank you, commissioner. Let's move on. We've got about 10 minutes or a little bit more if need be for the attorney general's office. Charity, Ryan, who's the best person to get us started on what the law requires and what you've seen in the past if there have been any analogous situations here or in other states, and most importantly, what aggressively can we do to make people feel more comfortable and to stop further leaks or thefts here? Mr. Chair, I'll just get us started and acknowledging the time crunch won't say much to begin. Ryan, of course, is our assistant attorney general who is a subject matter expert on data privacy and data breaches like this one. First, I am the chief of staff, Charity Clark, for the attorney general. And I also want to acknowledge that Wednesdays are remote learning day in my school district. And so with me is my six year old. So if we are interrupted, I apologize. So let me just begin by saying this is very serious. And I want to acknowledge that Vermonters have a right and should be able to trust in government and the government let them down. So it's here we are. We, the attorney general's office have been in regular communication with the Department of Labor offering resources and what support we have to give. Really, in this arena, there's two areas where our office intersects with what's happening. And the first, Ryan will speak to, and that's the data breach notice act. And the second is our consumer assistance program, who are really the experts on helping Vermonters with identity theft troubles. And I can say a lot about that, as probably some of you know. But I don't want to say too much because Ryan can answer, I think, a lot of questions about the act. Let me just direct you to a couple of resources. The first is, of course, you can call CAP or email CAP, and it's 1-800-649-2424. You can also just email them. It's ago.cap at vermont.gov. They are, they have incredible amounts of information, which I won't go into here since we're tight on time, but also wanted to direct you to, we have a blog, a CAP blog. And anytime you have a question about a consumer issue, you can just search on the blog and guarantee you that there will be some sort of resource available. It's on our website, if you just go to the news media section on our homepage, you can click on that and you'll see there's press releases and there's CAP communications or CAP connections is the name of the blog. So I wanted to just offer that if you have constituents who have concerns, there's lots of resources there. But I don't want to take up too much time because I know Ryan has a lot of info to share. So why don't I just turn it over to Ryan to tell us about the Data Breach Notice Act. Thanks, Ryan. Thank you, charity. Feel free to interrupt with any questions. Senator? Go ahead. Okay. So we deal with a lot of data breaches in I work in the, sorry, my name is Ryan Krieger. I'm an assistant attorney general in the consumer protection division. And one of our responsibilities is handling data breaches. We recently announced Saber breach. We handled Equifax. Unfortunately, this is a fairly common occurrence. There are two primary laws that data breaches fall under that we enforce in this area. The first is the Security Breach Notice Act, which I can run down in just a second. Importantly, the Security Breach Notice Act under its language applies to both private businesses and government agencies. So government agencies must comply with the Security Breach Notice Act. The second law we enforce in this area is the Consumer Protection Act. And basically we have interpreted that and all the other states in the Federal Trade Commission have interpreted that to say that if a business lacks reasonable data security, that can be considered an unfair or in some cases a deceptive act under the Consumer Protection Act. Certainly, if a business fails to remediate appropriately in the wake of a breach, that could be an unfair act. Now the Consumer Protection Act, however, does not apply to government agencies. It only applies to businesses and operations in commerce. So what that means is that from the Consumer Protection Division's point of view, we have responsibility to making sure that any government agency complies with the Notice Act as far as having reasonable data security or what happens if there wasn't, we are available to advise. We are available to provide information like this, but I don't think we have any authority to bring any sort of enforcement actions. I don't think we have, and if we don't have authority to bring an enforcement action, I don't know that we have authority to bring an investigation in that matter. Now as far as the Notice Act goes, we've talked at length about the Notice Act over the years in this committee. It requires preliminary notification to the Vermont Attorney General's office within 14 days of having the breach that has happened. The notice itself is confidential, although I think that the Department of Labor is being pretty transparent in how they've been operating here, but I can confirm that they've complied. The Notice to Consumers, which the contents of that are listed in detail in the Act, has to go out in the most expedient time possible and without unreasonable delay, but no later than 45 days. I haven't heard anything to indicate that they're not planning on getting that Notice out as soon as they can. So as far as our division goes, from the information we have at the moment, it appears that they are in compliance with the Security Breach Notice Act. The Notice Act does not require the provision of identity theft protection products. Some states have actually started requiring credit reporting. ID theft is a better product than the credit reporting product, so it's heartening to know that the Department of Labor is planning on doing that. That is the good protection for consumers. The question was raised about credit freezes and things like that. Credit freezes, there used to be a fee associated with them in the wake of Equifax, our state and many other states passed laws eliminating those fees. The fees were actually a statutory fee that was required in state law. So anyone who is concerned about personal identity theft can and should go to the three credit reporting agencies and ask for a credit freeze. And the way we advise people to do that is to Google Federal Trade Commission or FTC credit freeze. They have a website that has links to each of the individual credit reporting agencies and then you can go through that and you can do that freeze. You can also put a fraud alert on. The fraud alert lasts for one year and basically it flags your file so that if someone pulls your credit report they have to call you directly and say, did you intend to open this file? The freeze is, I think, more effective. It's also a little bit more burdensome to implement. So that's kind of a general authority. The other area, by the way, that our office is involved in in areas like this is if there is identity theft, if identity theft results from specifically tax fraud, identity theft, it is common every year around tax time for there to be a certain amount of ID theft fraud in the form of someone filing a tax return in order to get a refund that they don't deserve. And Senator Rand asked about the filing fast. What is that? And the notion is that if someone has stolen your identity and an ID thief is going to file in your wake, then you want to get your filing in first. At the very least, what that would mean is if you file after the identity thief, then what's going to happen is the tax department is going to see two filings and say, okay, one of these was false or not. That doesn't mean you're necessarily not going to get your filing back. But it would probably be you'll get a faster return if you get it in, get your return, and then the fraudster tries to commit the identity theft. Plus, it's always better to get your money back faster, earn that interest on your money instead of the state. So as far as if identity theft results from tax filings, I've actually spoken with the Department of Taxes. They have a fraud investigation unit. And if they identify an identity theft, they will communicate with the Attorney General's office. We will be the point of contact for people having identity theft resulting from that. It should it happen. And in any given year, it may happen, not just because of this. And then we will work with the state's attorneys, and we will determine the best course of action as far as if there is a verified example, pre-enforcement actions or prosecutions or things like that. So that would be the other area that we would be involved in. I think that's kind of the general overview, but I'm happy to take questions. Thank you, Ryan. Always a pleasure to have you here. You've given us a lot of legal requirements. Put yourself in the shoes of one of these UI recipients now who's read about this snafu and is concerned about identity theft. What's your advice for them? Well, my advice for them would be the same advice that we were giving out after the Equifax breach, which I think affected half of Vermonters. It's a really unfortunate thing, but I think all Vermonters should assume that their Social Security number has been acquired by someone in some context. Data breaches have become so ubiquitous in this area. So what can you do? Freeze your credit reports. It's the single most effective way that you can protect yourself because if your credit reports are frozen, that means that no one can open up a loan account in your name. It can't happen. A bank calls an experience and says, someone is trying to open an account, an experience won't release your credit report, so the bank can't open an account. And pretty much when you think about identity theft, you're talking about people taking out loans in your name or opening credit cards in your name. None of that can happen. We actually had some legislation where we talked about the possibility of making it easier for people to do that. Also, in the wake of Equifax, a federal law went into effect, which I believe preempted a lot of our ability to operate in that particular area. And you can talk to Ledge Counsel about that sort of issue. But really, freeze your credit reports. Download your credit report. You have a right to a free credit report from each credit reporting agency each year. So if you wanted to time it, you could every four months download one from Experian, one from Equifax, one from TransUnion. And the reason you download your credit report is because it shows you, first off, well, it shows you all the accounts open in your name. If you see an account that you don't recognize, that's a red flag, right? You should call that bank or that lender and say, I did not open this report. It's also very important to look at that anyway because there are frequently errors on these reports. And these are the reports that banks use to determine whether you're credit worthy. So you look at the report and if it says you haven't been paying your bills on time, but you know that you have been paying your bills on time, that's when you fix it. If it says that you lived in a place or your name is wrong, I've looked at my credit reports and it has an alias for me that I've never used. So they get things wrong. So you want to download your reports. If you don't plan, even if you do plan on taking out a loan sometime soon, freeze your credit report. And then what happens is if you decide you want to take out a loan down the road, let's say you want to buy a car, you need a car loan, you say to the car dealership which credit reporting agency do you use? They say TransUnion. So then you go to TransUnion and put a thaw on your credit freeze. You basically go in and say, for the next week, let people pull my credit report and then put the freeze back in effect. And then you can do that. It's one of the most effective things you can do. You want to be looking at your credit card statements. Make sure that there's no fraud on your credit card statements, although I think as far as the social security number breach, that's not as big a concern for you to worry about. There is personal ID theft insurance that you can buy. You can get a rider on your personal insurance. We don't recommend any particular insurance one way or the other on that. It's a little fraught to try to do that. But these are steps that everyone should be taking regardless because ID theft has just become so ubiquitous and so widespread. And it is a really unfortunate thing. There are certainly things I think on that question. We as the state might be able to help out more with, but that is a separate conversation for another time. So that's the advice that I would have. So drilling down a little bit on that, it sounds easy to say to someone, freeze your credit report, but a significant number of people are not going to have any idea what you're talking about or how to do that. What do you do for those people? Well, I think that I think we may have a link on the cap site that we can direct them to in order to do that. So we can direct them to the instructions that are on the cap website. Brian, can I jump in and also just say, folks at cap walk through this with people who call. They would be more than happy to say, okay, let's call this up together. You hit this button. All right, we do that all the time to just hold the hand of the remonder who might need that extra assistance. They're great at that kind of thing. So definitely I would encourage folks who have troubles to call cap. I think I would also just add that if you get a letter on government letterhead from in a government envelope, you should probably trust that letter. If you get a communication about this breach or any other breach that you don't trust or you're not sure about, call cap. We get calls about that frequently to ask. We require businesses to send their notices to us. We post them on our website so that people can confirm them. And I say all this because in the wake of something like this, there may be fraud. Fraudsters might see this as an opportunity to contact people and say, give us your social security number so that we can fix this sort of thing. Don't give out your social security number to anybody who calls you out of the blue or sends you an email with a link that says click here to give us your information to sign up for ID theft insurance or things like that. So be on heightened awareness for potential fraud coming out of something like this. Have you seen anything? We heard the commissioner say that he's in contact with third parties to provide financial protection services. Have you seen anything in Vermont or other states where there's been a breach by state government where they've gone to various degrees to help out even though they're not covered by the consumer fraud act? I don't know the specifics of how specific other states have handled this. I know that it's becoming fairly common in the business community to offer these sorts of additional services. And there are businesses that offer kind of like a bulk license for people to sign up for them, partly because they get offered. A lot of people don't actually use them. So it might seem like you're offering this very expensive service, but a lot of people don't just choose not to opt into it, which keeps the cost lower. So I suspect it's fairly common for this sort of thing to happen. So would you recommend at this point, let's assume we have entered into a contract with a third party that will provide this service to 44,000 people at a not, probably not an insignificant cost to the state budget, but would you recommend an opt out provision or we're going to see far less if people have to sign up? Is there any reason why we shouldn't extend it to all the people that have been impacted? And if they choose for whatever reason, they don't want it to have to opt out? I honestly don't know if there are ones that operate by an auto enroll that you get it, unless you say otherwise. I've always been under the impression that it's the sort of thing where you get a signing code and you have to take a step to select it. I think that's something that if there is an opt out possibility and it's cost effective, then I don't see that as potentially beneficial. Okay. So what else? I mean, it sounds to me like what's jumping out at me is that we've got to get the word out to the public like that there are cures or working on it, maybe give a little more detail, getting the cap number and an email address out to people, giving people a sense of calm that it's being worked on and there are effective solutions. You deal with charity, you deal with consumers all the time. Would you agree that we need to do that as soon as possible? Yeah. And actually during the course of this testimony, I think two members of the press have emailed me asking for comment. So I think that the press is certainly interested and I really appreciated at the governor's press conference yesterday. I think that was helpful. I actually did know that a letter went out to folks who might be affected because a friend got one and told me about it. So I think that this, you know, slowly the word is getting out and I agree it's very important. And I'd love for folks to know cap's phone number so that they know that we're a resource if they need help or just information to reassure them. Okay. And quickly, if I was just going to say I just was looking at the cap website and it hasn't yet been updated with this press release in the links below. So it might be helpful to do that right away. So people know that this is the place to look for this information. Thanks. And the other message I suppose would be helpful to send to people is if you happen to be the recipient of one of these missent letters, do the right thing, put it in the self-addressed envelope, send it back to the Department of Labor. By getting those back, the Department of Labor will be able to confirm, you know, that the numbers that people received is lower and lower and lower. Even if someone's not going to use it, you know, sending it back would be helpful so that so that we know that it was made safe. If they don't want to be bothered to send it back, at the very least, don't just throw it in the garbage. This is an information with sensitive information. If you have a shredder, shred it. If you if you don't have a shredder, throw it in your wood stove, you know, those are two very effective ways of destroying documents. But this is a sensitive document, even if it's not your document, you know, we're all in this together, these are your neighbor's information. So, you know, just, just, you know, please do the right thing and get those. If you're talking about evil or nefarious people, I mean, can you rely upon the fact, can the Department rely upon the fact that they've gotten the misinformed 1099 back as something they could write off as we don't have to be bothered with this case anymore? I mean, someone can just transpose the information there, put it on a yellow pad and send back the 1099. I mean, I suppose so. I mean, certainly, I suppose if someone, you know, it sends it back, you know, first of all, I suppose another message would be that, you know, it may be knowable who got which people's wrong social security numbers. So, if you do actually are evil or nefarious, this would be a really dumb ID theft to do because they'd probably be able to trace it back to you pretty quickly. So, you know, just, just, just do the right thing there. That's, you know, it's always a good message. Before Michael responds, can I ask something that's kind of directed at Michael? Just when we say do the right thing, I just want to give people really crystal clear information about what doing the right thing is. And I still want to make sure I'm clear. Whatever kind of 1099 they got, if it's retirement as opposed to a 1099G, are you just asking for 1099Gs to be returned of the 1099Gs? Even if they think everything's correct, do you still want them to return it? And if they wrote return to sender and just put it back in the mail before they got the guidance about the envelope, is that also considered doing the right thing? So, those are the three questions I just need serious clarity about. Kaysha, would you mind if we take that, those specifics offline? We're really running here. And, you know, we're going to have questions like that that come up throughout the course of the week. And, you know, please, you know, maybe put them in writing and copy the committee, because we'd all like to know the answer. I'd like to move on. Commissioner, I see you have a hand up. If it's really quick and essential, let's deal with it. If not, we're probably having you back tomorrow and the next day. So, I will keep it very brief. And it was just to also point out, you know, while we cannot be assured that if someone returns the 1099 that they didn't copy the information down, but by getting the 1099 back, we can be assured that it didn't get tossed in the mail and not destroyed of properly. And so, the leakage is less likely if they've actually returned the physical document to us. Thank you. Thank you, Charity. Thank you, Ryan. Thank you, Commissioner. We're going to take a five minute break and we'll come back and we'll deal with ACCD issues. Thank you.