TOPIC: Information Security

Information Breach?

AVP at a credit_union ($175MUSA)

One of our branches was served a garnishment.  When a branch receives it, they scan it over to the correct department that handles them.  Well, the scanned document was sent out to an outside contact, instead of to our department employee. The outside contact (current member) did not respond or say anything and this went unnoticed, until asking the branch what happened to this document.  This incident happened 3 months ago.  This didn't contain any credit union info, but did include a member's name, address, garnishment information, and last half of their SSN.  This account has been closed for several years.  Our Information Security Policy doesn't address what steps we would take in this situation (working on updating that).  How would you handle this?  Would you send something out to the current member who received this info and also the member, who's account is closed, but their info was listed?  Does your information security program list disciplinary actions as well?