IT officials in Contra Costa County, Calif., today launched a countywide investigation into how hundreds of internal e-mails containing private employee data were sent out inadvertently to a Swedish company.
The investigation was launched after Computerworld notified the county that Robert Carlesten, a 26-year-old managing director of Internet company Ord&Bild, based in Karlstad, Sweden, could produce dozens of e-mails he said have been arriving at his Internet.ac domain regularly for the past two years.
Carlesten said he tried to contact the senders of the e-mails on numerous occasions but received no reply.
In addition to a deluge of administrative communications from the county's Department of Information Technology and human resources director, the e-mails contain detailed discussions and attachments related to the payroll files for the county's Superior Court as well as current and former employee benefits. Many of the e-mails, obtained by Computerworld, contained the names, employee numbers and benefits of Superior Court commissioners and other workers.
Tom Whittington, CIO of Contra Costa County, said the county became aware of the problem only after receiving calls from Computerworld. A preliminary investigation, he said, revealed that the problem was the result of some county employees using erroneous e-mail address books and wasn't caused by a virus or worm infection.
"We've started to take action to stop this, and I believe we have stopped it," said Whittington. "We shut off and blocked the Internet.ac domain so our employees can't send any e-mails to that address."
Part of the problem, said Whittington, is that the county's naming structure includes ".ac" for the auditor controller's office. "Now we need to research who has the bad address book that has this address."
But that move poses a potential challenge for Whittington's IT administrators: Many employees have personal address books that are stored only on their PCs, making it impossible for the county's IT department to centrally update all address books.
Although Whittington said he has been advised by the county's chief information security officer that counties and cities are exempt from California's landmark identity-theft law, known as SB 1386, some legal analysts said the county may be required to notify those whose personal information was compromised.
SB 1386, which went into effect July 1, 2003, requires companies that do business with California residents to inform customers when their names, in combination with personally identifiable information, have been accessed by an unauthorized person. If Contra Costa County is required to follow the statute, it would be the first major test of the law.
Jeff Matsuura, a professor at the University of Dayton School of Law, said that on face value, the e-mails appear to contain personally identifiable information that is covered by SB 1386. "It seems to me that such an incident would gut the statute if this kind of disclosure did not fall within it," said Matsuura.
He added that there might be other federal legal issues that come into play, such as whether the incidents violate the Electronic Communications Privacy Act.
"If I were advising the county, I'd tell them to notify everybody whose personal data was compromised," said Matsuura.