Stanford has hired Kroll, a New York-based risk consulting company, to provide free identity theft protection for thousands of current and former employees affected by the recent theft of a University laptop, according to a letter to employees from Stanford CFO Randy Livingston.

For one year, Kroll will provide Stanford employees with access to its ID TheftSmart Enhanced Identity Theft Restoration, Continuous Credit Monitoring and Trimerged Credit Reports. Livingston, who is also the University's vice president of business affairs, called the company’s ID TheftSmart program “one of the most comprehensive programs available to help protect against identity theft.”

“All at no cost to you,” the CFO added.

University administrators were not immediately available to comment on the cost of engaging Kroll, whose parent company Marsh & McLennan Companies earns over $11 billion in annual revenue.

The letter — passed on to The Weekly by a current employee — also admits a “clear violation” of Stanford’s information security policy and procedures.

“Stanford has well-established policies and guidelines in place that should have prevented this type of incident from occurring,” Livingston wrote.

Under Stanford policy, restricted data such as that in the stolen laptop’s data file may not be stored on a laptop or any other unprotected system or device. In light of the University’s policy violation, Livingston will lead a task force to review policies and procedures regarding sensitive data, according to Stanford’s privacy Web page.

Although Director of Media Relations Jonathan Rabinovitz declined to comment on any details of the ongoing police investigation, Livingston told employees there has been no evidence that the information on the laptop has been “improperly accessed.”

Rabinovitz also declined to comment on the format of the data file, including whether or not it was encrypted.

The personal information — including name, birth date, social security number, salary, employee identification information and contact information — of nearly 62,000 employees was contained in the laptop. Driver’s license numbers, credit card numbers, bank account numbers and other financial information were not on the machine’s hard drive.

Rabinovitz declined to comment on how far back before September 2007 the personal information spanned, as well as on the time and place of the theft, the employee originally in possession of the laptop and the status of the ongoing police investigation.

“We are not disclosing details of the incident as it could compromise the investigation under way,” the media relations director said in an email to The Daily.

Some employees expressed disappointment at what they said was the administration’s lack of updated information.

“I am hoping more information will be made available very soon,” said Romeo Durscher, financial management analyst for the HEPL Solar Physics laboratory.

“I haven’t heard a whisper since [the original email], even to say, ‘We still haven’t recovered it,’” said Kevin Leung ‘11, a section leader for the Computer Science department whose information was not contained on the laptop because he was hired post-September 2007. “A follow-up would have reassured me that they are actually doing something about this.”

Computer Science section leader RJ Walsh ‘11, whose information was not on the laptop, called the incident a “flat-out failure.”

“With modern computer security technologies and known vulnerabilities, this was a flat-out failure on the University’s part,” Walsh said. “All sensitive data should be stored on remote servers in a protected location.”

“Data should never be copied to private computers for any reason, because not only is it impractical, it’s unsafe,” he added.

Walsh was optimistic, however, that the University will revise its policies.

“It’s good to know that the University wants to be transparent, and there will definitely be changes to the in-place policies,” he said.

Durscher remained disappointed that protection will only be in place for one year.

“Protection should be set up and stay in place for not just one or two years, but rather 10 years at least,” the employee said. “It won’t be cheap, but that’s what happens when something like this happens.”

Those affected by the theft can call 1-888-200-8799 for Kroll’s ID TheftSmart member services or visit http://www.stanford.edu/privacy for more information from the University.