http://www.computerworld.com/securitytopics/
security/privacy/story/0,10801,110389,00.html
By Jaikrishna Vijayan
APRIL 10, 2006
COMPUTERWORLD
The Social Security numbers, driver's license information
and bank
account details belonging to potentially millions of current
and
former residents in Florida's Broward County are available
to anyone
on the Internet because sensitive information has not been
redacted
from public records being posted on the county's Web site.
A county official said the information available on the Web
is in full
compliance with state statutes that require counties to post
public
documents on the Internet.
The information has been available on the Internet for
several years
and poses a serious risk of identity theft and fraud, said
Bruce
Hogman, a county resident who informed the Broward County
Records
Division of the problem about two weeks ago.
The breach stems from the county's failure to redact, or
remove,
sensitive data from images of public documents such as
property
records and family court documents, Hogman said. Included in
the
documents that are publicly available are dates of birth and
Social
Security numbers of minors, images of signatures, passport
numbers,
green card details and bank account information.
"Here is the latest treasure trove available to
identity thieves, and
it is free to the public, courtesy of the Florida state
legislature in
its great Internet savvy," Hogman said. The easy
availability of such
sensitive data also poses a security threat at a time of
heightened
terrorist concerns, he said.
Sue Baldwin, director of the Broward Count Records Division,
said the
county is aware of Hogman's concerns but said that her
office is in
compliance with state laws requiring all state recorders to
maintain a
Web site for official records. As part of its statutory
requirements,
the public records search section of www.broward.org
contains images
of public records dating back to 1978, many of which are
likely to
contain sensitive information such as Social Security
numbers, she
said. According to Baldwin, certain documents recorded after
June 5,
2002, such as military discharges, family court records,
juvenile
court records, probate law documents and death certificates
are
automatically blocked from the public record under current
Florida
law. But the same information recorded prior to the June
2002 cutoff
has been posted on the county site, she said.
Up to now "recorders have no statutory authority to
automatically
remove Social Security, bank account and driver's license
numbers,"
from public records, she said.
A new statute set to take effect Jan. 1, 2007, will require
county
recorders to remove Social Security numbers, bank account
numbers and
credit card and debit card numbers from public documents
before
posting documents online, she said. To ensure compliance
with the
requirement, Broward County issued a Request for Letters of
Interest
from vendors of redaction software in February 2005 and has
already
selected Aptitude Solutions Inc. for the work, Baldwin said.
"The software will be used to redact information from
all images
displayed on the county records Web site," including
those already
posted, Baldwin said. "I do not know how long the
actual process will
take, but we intend to comply with the statutory
requirements,
including deadline."
Until that time, individuals who want sensitive information
removed
from an image or a copy of a public record can individually
request
that in writing, she said. Such a request must specify the
identification page number that contains the Social Security
number or
other sensitive information, she said.
"We have provided information pertaining to requesting
redaction of
protected information on our Web site at
www.broward.org/records,
since 2002," Baldwin said. Since Hogman expressed his
concerns, the
county has made the redaction request information more
prominent on
its Web site and is also working on creating a special
e-mail box for
handling redaction requests.
"Aside from making the redaction request process as
user-friendly and
speedy as possible, I do not have the independent authority
to take
any additional action regarding removing material from the
public
records," she said.
Baldwin added that the information available on the Web is
also freely
available for public purchase and inspection at the county
offices.
"Professional list-making companies have always
purchased copies of
records and data from recorders to use in the creation of
specialized
marketing lists, which they sell," she said. So too
have title
insurance underwriters and credit reporting agencies.
Hogman, who wants the records taken down until a solution is
found,
said he has contacted several people -- including state
legislators,
both of the state's U.S. senators, the FBI and the U.S.
Federal Trade
Commission. So far, he has not heard back from anyone except
Baldwin.
"In my estimation, 'do nothing' is not a good
solution because it
leaves the information out there for public viewing"
he said.
_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info
|