[ISN] Florida county posts residents' sensitive data on public Web site

From: InfoSec News (isn@private)
Date: Mon Apr 10 2006 - 22:20:08 PDT


http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html

By Jaikumar Vijayan 
APRIL 10, 2006
COMPUTERWORLD

The Social Security numbers, driver's license information and bank 
account details belonging to potentially millions of current and 
former residents in Florida's Broward County are available to anyone 
on the Internet because sensitive information has not been redacted 
from public records being posted on the county's Web site. 

A county official said the information available on the Web is in full 
compliance with state statutes that require counties to post public 
documents on the Internet. 

The information has been available on the Internet for several years 
and poses a serious risk of identity theft and fraud, said Bruce 
Hogman, a county resident who informed the Broward County Records 
Division of the problem about two weeks ago. 

The breach stems from the county's failure to redact, or remove, 
sensitive data from images of public documents such as property 
records and family court documents, Hogman said. Included in the 
documents that are publicly available are dates of birth and Social 
Security numbers of minors, images of signatures, passport numbers, 
green card details and bank account information. 

"Here is the latest treasure trove available to identity thieves, and 
it is free to the public, courtesy of the Florida state legislature in 
its great Internet savvy," Hogman said. The easy availability of such 
sensitive data also poses a security threat at a time of heightened 
terrorist concerns, he said. 

Sue Baldwin, director of the Broward Count Records Division, said the 
county is aware of Hogman's concerns but said that her office is in 
compliance with state laws requiring all state recorders to maintain a 
Web site for official records. As part of its statutory requirements, 
the public records search section of www.broward.org contains images 
of public records dating back to 1978, many of which are likely to 
contain sensitive information such as Social Security numbers, she 
said. According to Baldwin, certain documents recorded after June 5, 
2002, such as military discharges, family court records, juvenile 
court records, probate law documents and death certificates are 
automatically blocked from the public record under current Florida 
law. But the same information recorded prior to the June 2002 cutoff 
has been posted on the county site, she said. 

Up to now "recorders have no statutory authority to automatically 
remove Social Security, bank account and driver's license numbers," 
from public records, she said. 

A new statute set to take effect Jan. 1, 2007, will require county 
recorders to remove Social Security numbers, bank account numbers and 
credit card and debit card numbers from public documents before 
posting documents online, she said. To ensure compliance with the 
requirement, Broward County issued a Request for Letters of Interest 
from vendors of redaction software in February 2005 and has already 
selected Aptitude Solutions Inc. for the work, Baldwin said. 

"The software will be used to redact information from all images 
displayed on the county records Web site," including those already 
posted, Baldwin said.  "I do not know how long the actual process will 
take, but we intend to comply with the statutory requirements, 
including deadline."

Until that time, individuals who want sensitive information removed 
from an image or a copy of a public record can individually request 
that in writing, she said. Such a request must specify the 
identification page number that contains the Social Security number or 
other sensitive information, she said. 

"We have provided information pertaining to requesting redaction of 
protected information on our Web site at www.broward.org/records, 
since 2002," Baldwin said. Since Hogman expressed his concerns, the 
county has made the redaction request information more prominent on 
its Web site and is also working on creating a special e-mail box for 
handling redaction requests. 

"Aside from making the redaction request process as user-friendly and 
speedy as possible, I do not have the independent authority to take 
any additional action regarding removing material from the public 
records," she said. 

Baldwin added that the information available on the Web is also freely 
available for public purchase and inspection at the county offices. 
"Professional list-making companies have always purchased copies of 
records and data from recorders to use in the creation of specialized 
marketing lists, which they sell," she said. So too have title 
insurance underwriters and credit reporting agencies. 

Hogman, who wants the records taken down until a solution is found, 
said he has contacted several people -- including state legislators, 
both of the state's U.S. senators, the FBI and the U.S. Federal Trade 
Commission. So far, he has not heard back from anyone except Baldwin. 

"In my estimation, 'do nothing' is not a good solution because it 
leaves the information out there for public viewing" he said. 



_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info



This archive was generated by hypermail 2.1.3 : Mon Apr 10 2006 - 22:47:36 PDT