States faulted over privacy breaches; tighter security urged
Eds: Moving on general news and financial services.
AP Graphic FRAUD IDENT THEFT
By SCOTT BAUER
Associated Press Writer
MADISON, Wis. (AP) — Tax forms were sent out to thousands of people in Wisconsin with their Social Security numbers on the mailing labels. A vendor hired by the state of Georgia lost a computer disk with the names and Social Security numbers of 2.9 million people. A disk with similar information disappeared in Rhode Island.
While some of the biggest and most spectacular privacy breaches in recent years have happened at large corporations, state governments have also mishandled or failed to protect some of the sensitive information entrusted to them — data that identity thieves would love to get their hands on.
Yet most states don’t have statewide privacy officers in charge of safeguarding data, statewide policies on protecting sensitive material, or standing procedures for responding to breaches.
"This is an area that has not gotten much attention, and there’s a lot of sensitive information stored by states. It’s not well-protected," said Robert Ellis Smith, publisher of the monthly Privacy Journal newsletter.
In many states, wills, deeds, divorce papers, death certificates and other public documents that contain Social Security numbers, birthdates, addresses and signatures are accessible via government Web sites for free or a small charge — or through hacking.
With a few mouse clicks, privacy activist Betty "BJ" Ostergren has found Social Security numbers of former Secretary of State Colin Powell, football star Joe Namath and former Florida Gov. Jeb Bush.
"Its just amazing to me that we’ve got this stuff and we are putting millions of people at risk," Ostergren said.
Through her efforts, several states have blocked online access to certain records, or redacted information such as Social Security numbers.
Ostergren, who runs the Web site The Virginia Watchdog, said her goal isn’t to prevent people from seeing public documents, but to at least make it a little harder for them to do so, by making them go down to the local courthouse to pull files.
Over the past year or so, security breaches at the discount retailer TJX Cos., the Maine-based supermarket chain Hannaford Bros., and other corporations have exposed tens of millions of credit and debit card numbers and led to thousands of cases of fraud.
It is difficult to say whether states are better or worse than corporations at safeguarding private information, said Joanne McNabb, chief of California’s Office of Privacy Protection. The protections adopted by businesses aren’t as public as what governments are doing, she said.
According to one Web site that tracks data-loss cases, etiolated.org, since 2000 about 21 percent have come from state and federal government. The biggest share, 40 percent, comes from private businesses. The rest come from educational, medical or not-for-profit sectors.
The Privacy Rights Clearinghouse, a nonprofit group that is pushing for better protection of information, lists hundreds of security breaches by government, universities and businesses. According to the group, more than 224 million records containing sensitive information have been involved in security breaches since 2005.
The Federal Trade Commission estimated that consumer fraud and identity theft cost Americans $1.2 billion in 2007.
The breaches in Rhode Island, Georgia and Wisconsin took place over the past two years and have not resulted in any reported cases of identity theft.
In a little over a year, Wisconsin had three incidents in which Social Security numbers were viewable on mailings that came from the state or through a contractor.
In response, Gov. Jim Doyle ordered agencies to stop using Social Security numbers as identifiers unless necessary, and called for each agency to designate a privacy coordinator.
Jane Marvin, 67, of Sun Prairie, said her Social Security number was revealed on a tax form and also on a second mailing for beneficiaries of a state program for senior citizens.
"It’s in the back of my mind that you’ve got to be careful," she said. "I just think these numbers are out there. They’re too easy for people to get a hold of. The government never does anything right."
California is considered a leader among states in safeguarding sensitive data. It has had a state privacy chief since 2001.
McNabb, who has held that post the entire time, said states should at least look at the information they collect and determine whether it is necessary to obtain it. She said they should also conduct an inventory of where that data is stored, and train employees better in handling it.
On the Net:
Privacy Rights Clearinghouse: http://www.privacyrights.org
The Virginia Watchdog: http://www.opcva.com/watchdog/