November 19, 2015
Authored by: Jerry Blanchard and David Zetoony
The Georgia Secretary of State posted a letter on its website on November 18, 2015 admitting that, on October 13, the office inadvertently released personal identifying information on registered voters in Georgia. While the letter does not actually spell out what information was released, a lawsuit filed in Fulton County Superior Court this week alleges that the information on the 6,184,281 Georgia voters includes:
- voters full name
- residential address or mailing address if that is different
- voter registration date
- last date the person voted
- their social security number
- driver’s license number
- date of birth.
The information had been provided on CDs to 12 groups, including political parties and journalists, in a release that normally would only include basic information, such as names, addresses, registration and the last time the person voted. Under normal circumstances, the Secretary of State makes such information available for $500 to interested individuals and entities.
The Secretary of State letter indicates that the office has retrieved all of the CDs that contained the information and has confirmed that none of the data was retained by or disseminated to any third parties. In a day and time when state and federal governments have aggressively pursued private companies for similar inadvertent disclosures, the Secretary of State may still face liability.
In the meantime what should individuals do to protect themselves? As a good practice considering the overall number of breaches happening around the country that may have impacted your data, individuals who do not have credit monitoring should obtain a free copy of their credit report from www.annualcreditreport.com and review it on a regular basis to ensure that no fraudulent accounts have been opened in their name. If an account has been opened fraudulently, they should contact the credit reporting agencies and the Federal Trade Commission immediately.
For banks and businesses, the event provides an opportunity to evaluate how they could handle a similar incident under their incident response plans. Such plans may feature contracts with forensic investigators, credit monitoring companies, and public relations firms. At least once annually – and likely more frequently – companies should review their incident response plans to ensure that they are adequate for the data that they actually maintain.
For those entities that do not yet have an incident response plan, they should adopt one if they maintain personally identifiable information. The Washington Legal Foundation’s handbook on Data Security Breaches: Incident Preparedness and Response, which is co-authored by Bryan Cave Partner David Zetoony and Jena Valdetero, is a good resource for companies that are just getting started as well as companies that are re-evaluating the sufficiency of an existing plan.