When more than 320,000 Nashville voters' personal information was breached in late 2007, it was a turning point that propelled the incorporated Metropolitan Government of Nashville and Davidson County to assess and define IT security policy, among other internal changes.
A laptop was stolen from the Davidson County Election Commission office, along with other electronic equipment, after someone threw a brick through a window in December 2007, said Metro Technology Chief Keith Durbin. While there was no evidence that voters' Social Security numbers or other personal information was accessed, the laptop wasn't encrypted, so the government had to assume the worst, he said.
"We got a lot of [media] attention, as you might imagine," said Durbin, noting that along with the mayor and City Council members, his voter registration information was on the stolen laptop. "It truly was a defining moment."
That was nearly three years ago. It was a wake-up call for the combined government, which has roughly 60 departments and agencies. Mayor Karl Dean, on the job just months before the security breach, set into motion a series of executive orders that established oversight boards and training programs, in hopes of preventing future security issues. A comprehensive security policy is set to go into effect this fall, and Durbin is in the process of hiring a chief information security officer to lead the effort. In the meantime, a few security faux pas have occurred, but nothing close to the magnitude experienced in 2007, officials said.
Human Error and Outdated Policy Faulted
"There was a cavalcade of security issues ... that really set in motion a series of events that has culminated in us putting together a comprehensive program," Durbin said. "What we've seen has been human error of some sort, or policies that haven't been adhered to."
A recent article in The Tennessean highlighted these issues, the most recent of which involved three Nashville flood victims' banking information being posted online. The assessor's office, in allowing victims to apply online for property tax deferments, disabled the password requirement, which essentially allowed anyone visiting the website to view copies of their canceled checks, Durbin said.
"The human error was taking a secure system and doing the stupid thing of taking the password off," he said.
Another security incident occurred in April, when the county criminal clerk's office, responding to a public records request, inadvertently released the Social Security numbers of the clerk and two other employees. Citing human error -- there was no IT factor -- Durbin said it was strictly an oversight.
And more than a year ago, in August 2009, the Nashville Career Advancement Center exposed the Social Security numbers of 160 clients on its website. Using a Web application that was developed nearly 10 years prior, coupled with outdated security standards, Durbin described the breach as "a huge embarrassment for the organization."
That incident wasn't quite human error, however, as the information wasn't on the city-county network, but was hosted outside the metropolitan system, Durbin said. "And again, at the time, there were no comprehensive policies that said stuff needs to be secure, hosting needs to be secure, applications need to be secure, it needs to meet these standards," he said.
Last, the names and banking records of about 500 juvenile offenders was potentially exposed in February 2009, when an unencrypted flash drive containing that information was lost by an auditor. The city-county didn't have a thumb drive security policy, Durbin said.
Advisory Boards, New Hires and Policy Implementation
Despite these recent setbacks, Nashville is poised to implement a comprehensive security policy this fall, officials said, and has already completed some groundwork to help smooth the transition, Durbin said.
Shortly after Dean took office as mayor, he hired Durbin