Florida State Agency Exposes Consumers' Sensitive Personal Data... Again

I usually don't write about data breaches, since there are plenty of blogs and web sites that track data breaches. However, this breach seemed worthy of a mention given the lack of organizational responsibility and accountability. Yesterday, the Sun-Sentinel reported:

"... the sensitive personal information of at least 250,000 Floridians was posted on a state government employment agency Web site... The Florida Agency for Workforce Innovation inadvertently posted on a test computer server or searchable database the names and Social Security numbers of people who sought services at the agency's One-Stop Career Centers between January 2002 and November 2007, agency officials acknowledged Wednesday."

The agency exposed the most sensitive of consumers' sensitive personal data: Social Security numbers. Plus, 250,000 is a lot of records to fail to maintain data security. While the workforce agency posted a notice on its web site about the data breach, it does not get extra credit for doing so since the State of Florida law requires notification of consumers after a data breach.

Rather, several disturbing questions remain unanswered by the agency. Why test a system with so many actual consumer records? The agency couldn't test with dummy data? What credit monitoring service was offered by the agency to its data breach victims? What employees and managers were held accountable? What consequences for those persons? What employee training was implemented to prevent future breaches?

And, this was not the first data breach by this agency:

"The incident is one of three known security breaches affecting Floridians this year and the second time the state's labor department reported exposure of personal sensitive information. In 2006, a workforce agency staffer in Tallahassee uploaded information to a test server when accidentally included the names and Social Security numbers of more than 4,600 people. The data was in cyberspace for 18 days before it was discovered..."

The newspaper also reported:

"Aaron Titus, information privacy director for Liberty Coalition, a consumer advocacy group based in Washington D.C., said he alerted the Florida employment agency shortly after he discovered the breach in October. According to Titus' analysis of the data, between 255,917 and 259,193 Social Security numbers were exposed including the Social Security numbers of 50 children... Titus copied the names whose information was posted and listed them on the National ID Watch's Web site - www.nationalidwatch.org, a project under Liberty Coalition - to allow consumers to search for their names to see if their information had been exposed."

Congratulations to Aaron Titus for discovering the Florida state agency's data breach. Congratulations to the Liberty Coalition for advocating for consumer rights and for promoting consumer awareness regarding data breaches. Greater consumer awareness about data breaches and identity theft are both needed.

While the NationalIDWatch.org site is admirable in its effort to help consumers learn if their data has been exposed during unannounced data breaches, I have concerns about the site. First, it is the responsibility of the government agency or company to notify affected consumers, employees, and former employees after it suffers a data breach. Nothing should reduce that responsibility, especially since not all states currently require the notification of consumers after a data breach. I fear that some smaller businesses and government agencies may avoid notifying consumers if they know that a site like NationalIDWatch.org will notify consumers for them.

Second, I briefly looked at the Liberty Coalition's www.nationalidwatch.org web site. It's great that the site attempts to cover the smaller data breaches that can easily go unnoticed and unreported. However, the name search mechanism could give misleading information, since many consumers share the same or similar names. Yes, the site provides disclaimers that the information is provided "as-is," but consumers may purchase credit monitoring services (or not) needlessly.

Frankly, I question the wisdom of copying the names of affected data breach victims as the Liberty Coalition did in order to update its database of data-breach victims. A better approach would be to maintain a publicly available database of companies and state agencies (and their senior executives) that fail to notify their data breach victims, especially in states that don't require notification.