The Secretary of State’s office allegedly improperly released sensitive information to buyers of voter registration data.
(TNS) — Data security experts say the security lapse that potentially exposed the Social Security numbers and other personal information of more than 6 million Georgia voters could cause significant damage to consumers if they were to fall into the wrong hands.
The information, including dates of birth and driver’s license numbers, is far more valuable to criminals than the bank card information that has been stolen in several recent high-profile cyberattacks against retailers such as Target and Atlanta-based Home Depot.
Personal identity information can be used over and over and fetch high prices among criminals, while bank cards aren’t as valuable because they can be quickly canceled after a theft.
“When you get a Social Security number and a date of birth, you’ve got everything you need to do tremendous damage to these consumers,” said Stephen Coggeshall, the chief analytics and science officer for data security firms LifeLock and ID Analytics.
Consumers should contact at least one of the three major credit bureaus — Equifax, Experian and TransUnion — to issue fraud alerts, experts said, because criminals could use the information to establish bank accounts, open credit cards or cause other sorts of financial harm.
This week two Georgia women sued Secretary of State Brian Kemp’s office alleging the agency in October improperly released sensitive information to buyers of voter registration data.
News media, political parties and other paying subscribers who legally buy certain — usually less invasive — voter information for research or political campaign purposes were among the 12 recipients.
Typically, the state releases include only names, addresses, ethnicity, gender, registration date, last voting date, and the political party primaries in which they voted.
The Secretary of State’s Office is attempting to retrieve discs sent to 12 buyers in order to secure the data.
Kemp told The Atlanta Journal-Constitution his office “undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error.”
The AJC was one of the recipients and returned its disc to the agency.
Unlike recent hacks of major retailers or the federal Office of Personnel Management, the breach of Georgia voter data involves information shipped to a known and narrow spectrum of buyers, not criminals who illegally forced their way into organizations’ computer infrastructure.
That “mitigates the seriousness,” Coggeshall said, but if there is “any bad actor who is in those organizations or involved in the transmission or delivery, you might consider that data as truly compromised.”
He said the state should consider doing what many retailers and banks have done after being hacked and provide free credit monitoring from the major bureaus. That could be very costly.
David Barton, an information security expert and a managing partner of the accounting firm UHY Advisors in Atlanta, said the breach demonstrates a “lack of control” in handling the data.
It wasn’t immediately clear whether the improper release originated with the state or a contractor to the Secretary of State’s Office.
Barton said it doesn’t matter.
“There need to be controls before data is released, whether it is assembled in-house or not,” he said.
A mishmash of federal and state laws currently requires companies and government agencies to take steps to protect sensitive personal information and to notify affected people when their data have been inadvertently released.
A bill proposing a federal omnibus law on data breaches, the Data Security & Breach Notification Act, has been knocking around Washington for years, so far without becoming the law.
Most of the existing federal laws are aimed at specific agencies such as the Department of Veterans Affairs or specific types of information, such as hospitals’ handling of patient records or credit card account information held by banks, retailers and payments processors.
The Federal Trade Commission regulates unfair trade practices by businesses, including poor data security practices that put consumers at the mercy of identity thieves and hackers.
But the FTC doesn’t regulate state agencies, making it a gray area as to whether the agency might investigate a contractor operating on the state agency’s behalf, if some fault exists there.
An FTC spokesman declined to comment on the possibility of an investigation.
Similar jurisdiction issues apply to the Federal Communications Commission, which regulates data slips by cable, telephone and Internet providers, and the Consumer Financial Protection Bureau, which weighs in when hackers scoop up credit card records from financial firms.
“Making matters worse, the federal agencies have no authority here,” said David Vladeck, a former head of the Federal Trade Commission’s Bureau of Consumer Protection.
“The FTC, which generally investigates commercial data breaches, has no authority over governmental entities,” said Vladeck, now a professor at Georgetown University’s law school.
The state Attorney General’s Office did not immediately respond to inquiries about whether it would investigate the Secretary of State Office’s handing of the data, or if the Law Department’s Office of Consumer Protection would advise voters about what they should do in the wake of the alleged security lapse.
©2015 The Atlanta Journal-Constitution (Atlanta, Ga.) Distributed by Tribune Content Agency, LLC.