IT officials in Contra Costa County, Calif., last week launched an investigation into how hundreds of internal e-mails that contained private employee data ended up in the in-box of a Swedish company. And now legal analysts say the incident has revealed major weaknesses in California's landmark privacy law.
The investigation was launched after Computerworld notified the county on July 6 that Robert Carlesten, managing director of Internet company Ord&Bild AB in Karlstad, Sweden, had produced dozens of e-mails that he said had been arriving at his Internet.ac domain regularly for the past two years. Carlesten said he responded to the senders of the e-mails on multiple occasions to inform them of the problem but never received a reply.
In addition to a deluge of administrative communications from the county's Department of Information Technology and its human resources director, the e-mails contained detailed discussions and attachments related to the payroll files for the county's Superior Court as well as current and former employee benefits. Many of the e-mails contain the names, employee ID numbers and benefits information of Superior Court commissioners and other workers. Computerworld broke the story on its Web site on July 6 .
Tom Whittington, CIO for the Contra Costa County government, said the county became aware of the problem only after being notified by Computerworld. A preliminary investigation revealed that the problem, which has since been fixed, was the result of some county employees using erroneous e-mail address books and was not caused by a virus or worm infection, he said.
According to Whittington, the glitch stemmed from the county's Internet naming structure, which includes ".ac" for the auditor controller's office. "Now we need to research who has the bad address book that has this address," he said.
Whittington said his office was never directly informed about the problem by Carlesten and noted that any county employees who may have received e-mail responses from Carlesten never brought the matter to his attention.
Legal Applicability
Joanne McNabb, chief of California's Office of Privacy Protection, said an initial review of the language contained in California's Senate Bill 1386 concluded that the privacy law doesn't apply to local governments in the state. The law stipulates that individuals must be informed if their personal information has been compromised.
According to McNabb, SB 1386, which went into effect on July 1 last year, applies to "persons or entities" doing business in the state. Likewise, the Information Practices Act, which is the California equivalent of the Federal Privacy Act, applies only to state agencies and not to local government agencies, she said.
However, "our recommendation beyond minimum compliance with the law is to let people know" that their personal information has been compromised, said McNabb.
Whittington said the extent of the compromise is still under investigation and that no decision has been made regarding notifying affected employees.
However, some legal analysts said the law does indeed apply to the county. If it does, the Contra Costa County case would be the first major test of the new legislation.
Harold J. Krent, dean of the Chicago-Kent College of Law, said it's unclear whether local government agencies, even if exempt from the statute, fall within the definition of the term <i>person</i> as contained in a companion provision of the bill. If so, they would be required to notify individuals of any breach, he said.
"In similar statutory contexts, 'person' has generally been construed broadly to cover municipal corporations," said Krent.
Moreover, even if the county is defined as a person within the meaning of the law, it's unclear if there is a remedy for a failure to notify, said Krent. "Only 'customers' can sue to recover damages due to a failure to notify," he said. "This suggests that county residents whose information is maintained because they consume water or waste removal services could sue." But residents wouldn't be able to sue simply by virtue of their status as taxpayers; there has to be a customer/service provider relationship in place, Krent noted.
Professor Jeff Matsuura of the University of Dayton School of Law said the e-mails appear to contain personally identifiable information that is covered by SB 1386. "It seems to me that such an incident would gut the statute if this kind of disclosure did not fall within it," he said.
 |
|
|
