Data exposure: Counties across the U.S. posting sensitive info online

Social Security numbers, driver's license data and bank account numbers are all easily available

Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access.

The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates.

“These sites are just spoon-feeding criminals the information they need,” said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,” she said.

Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.)

“All of this information is available to anyone sitting in a cafe in Nigeria or anywhere else in the world,” said David Bloys, a retired private investigator who publishes a newsletter called "News for Public Officials" in Shallowater, Texas. “It’s a real security threat.”

Those concerns follow news that personally identifiable information belonging to an unknown number of current and former residents of Florida are available online because sensitive information has not been removed from public records posted on county Web sites in that state.

It’s unclear exactly how many of the 3,600 county governments in the United States do the same thing, said Mark Monacelli, president of the Property Records Industry Association, a Durham, N.C.-based industry group set up to facilitate the recording of, and access to, public property information.

But it’s safe to assume that many of them are posting sensitive data online, based on the trend by local governments to provide Web-based access to public records, said Darity Wesley, CEO of Privacy Solutions, a privacy consultancy for the real estate industry based in San Diego. “I think a lot of [county] recorders have been putting [images of] public land records on the Internet without any concern about who has access to it,” Wesley said.

But while the public access efforts raise privacy concerns, those worries need to be tempered with an understanding of the benefits from easier access to public land records, according to both Wesley and Monacelli.

“This whole topic of access to information is an issue that we as a nation are facing,” Monacelli said. “We have real estate professionals, title companies, attorneys and lenders who need this information for commerce purposes.” He argued that easier information-sharing enables more efficient mortgage and loan processes, for example.

“There’s a real need to keep the information flowing,” Wesley said, adding that while there’s a real need to protect data “at all costs,” there’s little evidence so far that the public availability of personal information on government sites has contributed to identity theft. For most identity thieves, the effort involved in sifting through millions of public records for sensitive information is simply not worth it, she said.

“There’s a lot of value in public records, and shutting down access to them” over privacy concerns would be a step backward, she said. “Rather than wrap a lot of fear and sensationalism” around the issue, what is needed is an informed discussion of the issue by legislators and privacy advocates.

The list of document images posted on county Web sites as part of the public record includes copies of property and tax records, motor vehicle information and court files. In some cases, documents relating to military discharges, family court records, juvenile court records, probate law documents and death certificates are also available. Much of the information has been freely available for public purchase and inspection at county offices for a long time, said Sue Baldwin, director of the Broward County Records Division.

“Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell,” she said. So, too, have title insurance underwriters and credit-reporting agencies. “Land records are public all over the country. This is not a new situation.”

Even so, privacy advocates say the move to post public records on the Web without removing personally identifiable information has greatly broadened access to sensitive data and the potential for misuse. “The simple truth is these records were safe in the courthouse for 160 years,” Bloys said. Now, all it takes is Internet access and a very rudimentary idea of how to look for data to find all sorts of information, he said.

Ostergren, for instance, claims to have harvested more than 17,000 Social Security numbers simply by “messing around” in county Web sites over the past two years. Among the countless nuggets Bloys turned up was the complete medical history of a terminally ill county official.

“I understand people’s concerns, but a lot of this information has been freely available for public inspection since Plymouth Rock,” said Carol Fogelsong, the assistant comptroller for Orange County, Fla.

She argued that the number of documents containing sensitive information may be lower than people assume. Orange County, for example, is in the midst of inspecting about 30 million pages dating back to 1970 for Social Security numbers, bank account numbers, credit card numbers and debit card numbers. So far, 7 million pages covering 2.2 million documents recorded between June 1, 2002, and April 30, 2005, have been inspected: Out of those pages, 119,000, or 1.63%, have information that needed to be redacted.

Fogelsong noted that people who want information removed can request that it be redacted. Very few documents filed in the public realm require sensitive data anyway -- but it is up to inviduals to make sure that it doesn't get into these records to begin with. "I would love if people would check their records on their own" to ensure no private information is publicly disclosed, she said.

Most counties around the country allow residents to immediately have their personal information expunged from public records on the Web. But indviduals have to usually make a written request and provide details on the Book and Page number where the information exists. In fact, consumers have a responsbility to ensure that public records do not carry Social Security numbers and other personally identifiable information, she said.

It is not always necessary to search for data, since online records often can be purchased in bulk for a fraction of what it would cost to buy them from a courthouse, Bloys said. One example: Fort Bend County, Texas, last year sold to a Florida company every document ever filed with the county clerk’s office -- estimated to be around 20 million -- for roughly $2,500. Bloys wrote about the transaction in his newsletter in December. Fort Bend County officials did not immediately return a call seeking comment.

The company that purchased the information is one of a large number of companies -- including firms in India, China and the Philippines -- that routinely download records directly from county Web sites, sometimes invoking the Freedom of Information Act, Bloys said.

Bloys is concerned that identity thieves and other criminals appear to be taking advantage of the easy availability of information. He pointed to a sharp increase in deed fraud in Florida and identity theft in Arizona. “A signature and notary seal extracted from an online county is all that is needed to take your home,” he said.

Ostergren, who runs a Web site called The Virginia Watchdog, has for the last two and a half years been fighting to keep images of public records off her county’s Web site -- and has so far succeeded. Nonetheless, about 14 of Virginia's 121 counties post images of public records. Several counties and other local governments in states such as Pennsylvania, North Carolina, South Carolina, Ohio, Georgia, Arizona, Texas and New York -- including all five boroughs in New York city -- currently post document images with sensitive information on the Web, she said.

Wesley, of Privacy Solutions, said there is a growing awareness of privacy concerns among state officials. Florida, for instance, has enacted a new law that requires county governments to redact all sensitive information from posted images by Jan. 1, 2007. On that date, Florida’s county recorders will also have the authority to redact sensitive information from documents before posting them -- something they are forbidden to do now.

County governments in several other states, including Texas, New Jersey, California and Washington, are redacting Social Security numbers and personally identifiable information from public records being posted online. Broward County, for instance, has selected a vendor named Aptitude Solutions Inc. to help automate the process of removing sensitive information from documents, Baldwin said. “I do not know how long the actual process will take, but we intend to comply with the statutory requirements, including deadline.”

In Orange County, Fogelsong said she hopes to complete the redaction process by the end of August. Despite initial concerns about the technology challenges involved, that process has been going better than expected, she said.

All images of documents recorded by the county have been copied, downloaded and shipped to Austin-based Hart InterCivic, which is scanning them for Social Security information as well as bank account, credit card and debit card numbers. Pages with any of such data are redacted and shipped back to Orange County, which then replaces the original image with a redacted one. The original copies are not deleted, but instead taken off-line, Fogelsong said. Roughly 2 million pages are being inspected every month in this fashion.

“I will not be able to stop everything,” Fogelsong conceded, adding that it is quite likely that even after the redaction process sensitive information might still make it online. “But I’m doing the best I can.”

Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon