http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html By Jaikumar Vijayan APRIL 10, 2006 COMPUTERWORLD The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county's Web site. A county official said the information available on the Web is in full compliance with state statutes that require counties to post public documents on the Internet. The information has been available on the Internet for several years and poses a serious risk of identity theft and fraud, said Bruce Hogman, a county resident who informed the Broward County Records Division of the problem about two weeks ago. The breach stems from the county's failure to redact, or remove, sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures, passport numbers, green card details and bank account information. "Here is the latest treasure trove available to identity thieves, and it is free to the public, courtesy of the Florida state legislature in its great Internet savvy," Hogman said. The easy availability of such sensitive data also poses a security threat at a time of heightened terrorist concerns, he said. Sue Baldwin, director of the Broward Count Records Division, said the county is aware of Hogman's concerns but said that her office is in compliance with state laws requiring all state recorders to maintain a Web site for official records. As part of its statutory requirements, the public records search section of www.broward.org contains images of public records dating back to 1978, many of which are likely to contain sensitive information such as Social Security numbers, she said. According to Baldwin, certain documents recorded after June 5, 2002, such as military discharges, family court records, juvenile court records, probate law documents and death certificates are automatically blocked from the public record under current Florida law. But the same information recorded prior to the June 2002 cutoff has been posted on the county site, she said. Up to now "recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers," from public records, she said. A new statute set to take effect Jan. 1, 2007, will require county recorders to remove Social Security numbers, bank account numbers and credit card and debit card numbers from public documents before posting documents online, she said. To ensure compliance with the requirement, Broward County issued a Request for Letters of Interest from vendors of redaction software in February 2005 and has already selected Aptitude Solutions Inc. for the work, Baldwin said. "The software will be used to redact information from all images displayed on the county records Web site," including those already posted, Baldwin said. "I do not know how long the actual process will take, but we intend to comply with the statutory requirements, including deadline." Until that time, individuals who want sensitive information removed from an image or a copy of a public record can individually request that in writing, she said. Such a request must specify the identification page number that contains the Social Security number or other sensitive information, she said. "We have provided information pertaining to requesting redaction of protected information on our Web site at www.broward.org/records, since 2002," Baldwin said. Since Hogman expressed his concerns, the county has made the redaction request information more prominent on its Web site and is also working on creating a special e-mail box for handling redaction requests. "Aside from making the redaction request process as user-friendly and speedy as possible, I do not have the independent authority to take any additional action regarding removing material from the public records," she said. Baldwin added that the information available on the Web is also freely available for public purchase and inspection at the county offices. "Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell," she said. So too have title insurance underwriters and credit reporting agencies. Hogman, who wants the records taken down until a solution is found, said he has contacted several people -- including state legislators, both of the state's U.S. senators, the FBI and the U.S. Federal Trade Commission. So far, he has not heard back from anyone except Baldwin. "In my estimation, 'do nothing' is not a good solution because it leaves the information out there for public viewing" he said. _________________________________ LayerOne 2006 : Pasadena Hilton : Pasadena, CA Infomation Security and Technology Conference http://layerone.info
This archive was generated by hypermail 2.1.3 : Mon Apr 10 2006 - 22:47:36 PDT