[IP] Ohio recalls voter registration CDs; Social Security numbers included
Begin forwarded message:
From: Glenn Tenney CISSM CISM <gt_IP060107@xxxxxxxxx>
Date: May 1, 2006 7:54:17 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Subject: Ohio recalls voter registration CDs; Social Security numbers
included
( for IP if you want )
http://www.computerworld.com/securitytopics/security/privacy/story/
0,10801,110983,00.html?source=NLT_SEC&nid=110983
Ohio recalls voter registration CDs; Social Security numbers included
The data was to be used for get-out-the-vote efforts in upcoming
primary elections
News Story by Todd R. Weiss
APRIL 28, 2006 (COMPUTERWORLD) - The Social Security numbers of
potentially millions of registered voters in Ohio were included on
CD-ROMs distributed to some 20 political campaign operations in recent
months as campaigns geared up for spring primary election races.
The problem was discovered Tuesday when one of the political campaigns
contacted the Ohio secretary of state's office to say that the
personal data was on the discs, even though it wasn't requested, said
James Lee, a spokesman for Secretary of State J. Kenneth Blackwell.
All of the political organizations that received the CDs were
immediately contacted and have agreed to return the discs for
replacements that won't include the Social Security numbers, Lee
said. The records of about 7.7 million registered voters in Ohio are
listed on the CDs, but Lee said he didn't know how many voter records
included Social Security numbers. The records show which elections a
voter participated in since 2002, along with their names and
addresses.
For many years, Ohio voter registration forms included a space where
the voter could choose to include a Social Security number, but it was
optional, he said. Earlier this year, the forms were changed to
include only the last four digits of the number to better protect a
voter's private information.
The Social Security numbers were included when the CDs were created,
Lee said. "When we did one of our data merges, some data included some
Social Security numbers" accidentally, he said. "It's just a data
issue that can be fixed now by leaving out that column."
Once the affected CDs are returned sometime in the next two weeks,
updated discs will be issued. Asked if any printouts from the CDs will
also be returned or destroyed, Lee said he doesn't believe any
printouts were made. "We consider the issue resolved," he said.
Political campaigns use the voter registration lists to conduct phone
canvassing, create mailing lists for brochures about candidates and to
put together door-to-door efforts.
This is the second time since March that the issue of privacy has
arisen in Ohio government agencies. Last month, an Ohio man sued the
state for posting his and other residents' Social Security numbers for
years on state Web sites where publicly searchable records are stored,
showing retail purchases made using credit cards or bank loans (see
"Ohio secretary of state sued over ID info posted online").
Lee Tien, a senior staff attorney for the Electronic Frontier
Foundation, a San Francisco-based, nonprofit digital rights and
privacy group, said the Ohio incident is particularly egregious
because there has been no public notification of the data disclosure
by state officials.
"There was a foul-up by the state in sending the data out," Tien
said. "They've got to make sure it never happens again."
Chris Hoofnagle, senior counsel for the Electronic Privacy Information
Center, a Washington-based privacy group, said the incident
underscores the importance of laws that would allow people to "freeze"
their credit to prevent unauthorized persons from gaining their
personal information and opening credit accounts in their names. Ohio
does not have such laws, he said.
The state, however, does have a security breach notification law,
Hoofnagle said, but it is unclear how it would apply in this case. The
law, which went into effect Feb. 17, requires a state agency, person
or business entity to contact residents "if unencrypted or unredacted
personal information about those individuals ... [that is] included in
computerized data owned or licensed by the agency, person, or business
entity is accessed and acquired by unauthorized persons." The law
states that such notification must be given if such release "causes or
reasonably is believed will create a material risk of the commission
of the offense of identity fraud or other fraud to the individual."
"The bill may apply," Hoofnagle said. "It seems like something should
happen."
According to Ohio officials, Social Security numbers have been used
for years to help state elections officials confirm voter identities
by cross-referencing the information with data from the state's Bureau
of Motor Vehicles, according to BMV spokesman Fred Stratmann. The
secretary of state's office would send the voter regiway sa02, voters
must include only the last four digits of their Social Security
numbers as part of their registrations to help confirm their
identities, Stratmann said. That information is then cross-referenced
against the AAMVA database, he said.
That procedure has at least one Ohio resident very angry. Rosanna
Miller, a 55-year-old musician and music teacher in Amanda, Ohio, said
the use of Social Security numbers for identification purposes by
government agencies is wrong. She said that information is supposed to
be kept private, according to the Social Security Administration.
"Every time you turn around, the government's telling you something
that's not the truth," Miller said.
Last year, Miller said she was turned down for assistance from a state
program to help pay her home heating bills because she refused to put
her Social Security number on the form.
When Miller telephoned the state secretary of state's office earlier
this week to check to see if her Social Security number was listed in
her voting registration records, she was told that the number was not
on her records. "Now, do I believe that?" she said.
The problem is that many different government agencies have been using
the information, including the secretary of state's office, she
said. "Now [the BMV] is passing it out. This just gets deeper and
deeper and deeper."
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/