This week, two Georgia residents filed a class action complaint against Secretary of State Brian P. Kemp for allegedly sending CDs containing personal data belonging to 6 million voters to 12 media organizations, political parties, and other groups, including Georgia GunOwner Magazine.
The CDs filled with voter data were regularly sent out to these 12 parties as part of a legal subscription service that offered access to lists of registered voters, but the lawsuit alleges that somehow, October’s CD went out to subscribers with voters' social security numbers, dates of birth, and drivers license numbers attached to their names.
The Atlanta Journal-Constitution verified these claims by accessing one of the discs and looking up one of the paper’s staffers. Sure enough, his social security number and driver’s license number appeared. "The AJC has returned its copy of the disc to the state,” the paper said.
On Wednesday, Kemp issued a statement (PDF) saying that the loss of information occurred because of a simple mistake. “[I]n October, a clerical error in the IT Division led to these discs containing personal identifying information that should not have been included. The IT person responsible has been terminated for breaking internal rules governing the release of this information.”
Kemp added after he learned of the data loss, his staff “took immediate action to confirm that the recipients had not copied or otherwise disseminated the data.” The secretary of state did not detail how it was able to confirm that the data hadn't been copied. He also insisted that the Georgia Voter Registration System had not been breached.
The lawsuit filed on Tuesday charged that “Kemp has not notified a single Georgia citizen that his or her information may have been compromised.” As of Wednesday, Kemp’s statement was public on the Georgia secretary of state’s website, but it is unclear if he plans to notify voters who temporarily had their personal information in untrusted hands. Kemp's office did not return Ars’ request for comment.
Update 11/20/2015: The Georgia Secretary of State's office contacted Ars and said that it only learned of the improper release of data on Friday afternoon and sent police officers out to reclaim the discs early Monday morning. Responding to the criticism that the office didn't contact Georgia residents about the data leak individually, a spokesperson for the office said that Georgia law requires that when victims of a data breach exceed 50,000 people, the organization that lost control of the data need only notify people through the media. "We sent out a statewide press release, we have it on our website, we got a fully dedicated webpage with a hotline, and we're promoting that [news] through social media," the spokesperson said.
The spokesperson also said that when the Secretary of State's office sent out police officers to reclaim the discs, they received verbal confirmation form the owners that no copies of the discs had been made. "We’re in the process right now of getting sworn statements" from the 12 recipients, the spokesperson said.
The list of registered voters that the secretary of state’s office sends around to subscribers usually only contains the voter's name, residential and/or mailing addresses, race, gender, registration date, and last voting date, according to the lawsuit. Any citizen can request the log of registered voters for a fee of $500.
A voter registration form in Georgia only requires that the registrant put down the last four digits of their social security number, although putting down their whole social security number is optional. Still, the lawsuit claims all names in the database were paired with a social security number. "While the application only requests the last four digits of a voter’s social security number, for some reason the Secretary of State maintains each voter’s complete social security number and driver’s license number,” the lawsuit said. "It is unclear how all of this information has been collected and why the complete social security number of each voter is maintained, if it is not required at the time of registration.”
This is hardly the first time a political body has played fast and loose with records that citizens thought would be kept private. Earlier this year in an effort to enhance "transparency," former governor of Florida Jeb Bush released thousands of e-mails sent to him during his time in office without scrubbing the database of addresses, names, or social security numbers.
Listing image by Flickr user: 55thstreet
reader comments
143