By Martin H. Bosworth
ConsumerAffairs.com
February 7, 2007
The printing error that caused 170,000 Wisconsin taxpayers to receive
forms with their Social Security numbers visible to the public had the
dubious distinction of being the first big data breach of 2007.
Now comes news that the state's Department of Revenue and the printing agency responsible for the mistake may have tried to cover it up.
The printing company, Ripon Community Printers, asked the Department of Revenue to keep the breach quiet when it was first discovered, according to several local Wisconsin news outlets.
The agency agreed to do so, but was forced to confirm the breach after disgruntled residents contacted local newspapers and television stations to complain about the incident.
E-mail trails between Revenue Department officials and Ripon's staff confirmed that both sides wanted to keep the breach under wraps, although Ripon president Andy Lyke said that he did so only to prevent potential thieves from stealing the forms and using the information themselves.
"The press made the situation a whole lot worse. I'm convinced of that," he told reporters. "It alerted anyone who had any kind of ill-intent that these numbers were out there."
Revenue Department spokeswoman Meredith Helgerson acknowledged that the agency -- and she herself -- had hesitated to get the information out to the public on the day the breach was discovered, but decided to do so within several hours of discovering local news media going with the story.
Legislators At Risk
If that wasn't enough of a black eye, 109 members of the state Assembly were put at risk of identity theft when a laptop containing their personal information was stolen from the car of a state employee.
The unidentified employee had taken the laptop home but his or her car keys were stolen and the thief made off with the computer as well as personal effects, the Wisconsin State Journal reported.
The possibility of identity theft hitting home for Wisconsin's lawmakers has prompted many of them to call for stronger policies regarding both data security and notification of breaches.
State Senator Ted Kanavas (R-Brookfield) proposed legislation to prevent state agencies from disclosing any taxpayer information to third parties unless it was explicitly required for a task to be completed.
Kanavas said that "it's not 1975," and the state government needs to do a better job of collecting and protecting information.
Local Troubles Writ Large
The Wisconsin incidents are prime examples of the problems the federal and local governments face in handling information breaches.
Currently, each of the 50 states have wildly different laws governing policies such as breach disclosure, and there are no standards for any sort of conduct relating to taking information home.
The lack of common standards means that companies in a particular state can get away with hiding a data breach unless the public or media becomes aware of it through other means, as in the Wisconsin case.
On the other hand, much of the legislation proposed by Congress to govern data breach disclosures is noticeably weaker than state law, and would preempt any state's attempt to pass stronger laws, leaving citizens without much in the way of redress, and at the mercy of legislation likely to be largely written by industry lobbyists.
On the other hand, widely varying state laws are slowing down efforts by the Bush administration to implement a national electronic records-sharing system for medical information. The GAO recently released a report criticizing the plan for lacking adequate privacy protection measures.
