For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Update: Fla. residents' data exposure a statewide issue
or
Other Security Stories
|
|
|
|
April 11, 2006 (Computerworld) -- The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites.
Although questions about the availability of personal data online initially focused on Broward County, an official there stressed today that all counties in Florida are subject to the same state law. A spot check of other county Web sites today confirmed that sensitive data is easily available through public property records.
In fact, according to Sue Baldwin, director of the Broward County Records Division, counties across the nation face the same issue.
"Land records are public all over the country. This is not a new situation," said Baldwin, adding that the same issue affects "all the counties in Florida ... [and] lots of states."
In fact, the Ohio secretary of state is being sued for posting residents’ Social Security numbers for years on state Web sites where publicly searchable records are stored (see "Ohio secretary of state sued over ID info posted online").
"All this information has been out there and available since the beginning of time," Baldwin said. "It was out there, and the people who were educated about it knew it was there. It's been online since 1999."
She noted that the information on the Web is in full compliance with state statutes that require counties to post public documents on the Internet.
Bruce Hogman, a county resident who raised concerns about the availability of information with the Broward County Records Division about two weeks ago, said it poses a serious risk of identity theft and fraud.
The exposure stems from the county’s failure to redact, or remove, sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents publicly available are dates of birth and Social Security numbers of minors, images of signatures, passport numbers, green-card details and bank account information.
“Here is the latest treasure trove available to identity thieves, and it is free to the public, courtesy of the Florida state legislature in its great Internet savvy,” Hogman said. The easy availability of such sensitive data also poses a security threat at a time of heightened terrorist concerns, he said.
Baldwin said the county is aware of Hogman’s concerns but said state laws require all state recorders to maintain a Web site for official records. To meet those statutory requirements, the public records search section of www.broward.org contains images of public records dating to 1978, many of which are likely to contain sensitive information such as Social Security numbers, she said.
According to Baldwin, certain documents recorded after June 5, 2002, such as military discharges, family court records, juvenile court records, probate law documents and death certificates are automatically blocked from the public record under current Florida law. But the same information recorded prior to the June 2002 cutoff has been posted on the county site, she said.
Up to now, “recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers,” from public records, she said.
A new statute set to take effect Jan. 1, 2007, will require county recorders to remove Social Security numbers, bank account numbers, and credit and debit card numbers from public documents before posting documents online, she said. To ensure compliance with the requirement, Broward County issued a request for letters of Interest from vendors of redaction software in February 2005 and has already selected Aptitude Solutions Inc. for the work, Baldwin said.
“The software will be used to redact information from all images displayed on the county records Web site,” including those already posted, Baldwin said. “I do not know how long the actual process will take, but we intend to comply with the statutory requirements, including deadline."
Even so, she called the redaction effort "a massive job."
"We can't do it overnight," Baldwin said.
Hogman, who has been in the IT field for over 30 years, said that redacting the images already posted on the Web could pose a significant technical challenge for county officials because the quality and format of the imaged documents varies.
"There was no standard enforced for any of the documents filed, such as Warranty Deed, and programming an [Optical Character Recognition] product will be both difficult and lengthy." The result: The redaction of sensitive data could take longer than expected, leaving information publicly available for the next several months he said.
Until the county can act, people who want sensitive information removed from an image or a copy of a public record can individually request that in writing, she said. Such a request must specify the identification page number that contains the Social Security number or other sensitive information.
The county also created up an e-mail in-box that allows people to file their requests via e-mail. That address is: removepersonalinfo@broward.org.
“We have provided information pertaining to requesting redaction of protected information on our Web site at www.broward.org/records, since 2002,” Baldwin said. Since Hogman expressed his concerns, the county has made the redaction-request information more visible online.
“Aside from making the redaction- request process as user-friendly and speedy as possible, I do not have the independent authority to take any additional action regarding removing material from the public records,” Baldwin said.
She added that the information available on the Web is also freely available for public purchase and inspection at the county offices. “Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell,” she said. So too have title insurance underwriters and credit-reporting agencies.
Given that public records have been readily available, Baldwin called concerns about posting them online "a tempest in a teapot," saying "most people's documents don't have [sensitive] stuff in them. There are relatively few documents that have that kind of information."
She also said that residents concerned about personal data that may be online should check to see if information is accessible that should not be and formally request that it be removed.
"People have to assume some responsibility," Baldwin said. "At least now people can look at this stuff and say, 'I don't want people looking at this' and ask [officials] to take it off. This is a way for citizens to be informed and to manage their documents. They should regard this as an opportunity."
Hogman, who wants the records taken down until a solution is found, said he has contacted several people -- including state legislators, both of the state's U.S. senators, the FBI and the Federal Trade Commission. So far, he has not heard back from anyone except Baldwin.
“In my estimation, ‘do nothing’ is not a good solution because it leaves the information out there for public viewing ” he said.
Computerworld's Ken Mingis, Linda Rosencrance and Todd R. Weiss contributed to this report.
Related Opinion:
- IT Blogwatch: Fla. springs info. leak (and hurray for sysadmins)
- Rod Hamilton: When disclosure collides with privacy
- Douglas Schweitzer: Some of your personal info is already public!
- C. J. Kelly: No expectation of privacy. Period.
- C. J. Kelly: Insiders are the real threat
- All Security Blogs
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Microsoft promises four patches next week
- Google gives away home-cooked Web application security scanner
- Storm botnet stages Fourth of July attacks
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecuritySecurity's important, and risk must be addressed, right? Sure, but watch for four signs your policies go a bit overboard. Click here to read the latest column by Jon Espenschied |
