[ISN] CDs with state workers' information missing

From: InfoSec News (alerts@private)
Date: Tue Nov 13 2007 - 01:04:17 PST


http://www.nevadaappeal.com/article/20071110/NEWS/111100113/-1/NEWS

By Geoff Dornan
Appeal Capitol Bureau
November 10, 2007

More than 470 CDs containing payroll information about state workers, 
including their Social Security numbers, have been either lost or stolen 
over the past three years.

The discovery has prompted major changes in how those bi-weekly reports 
to state agencies are handled

The issue was raised by former Department of Information Technology 
security manager Jim Elste who says his efforts to make the state tell 
workers their personal data may have fallen into the wrong hands caused 
him to be fired from DOIT.

He made the argument during four days of hearings before Administrative 
Hearing Officer Bill Kockenmeister. Elste is appealing his termination, 
saying he is covered by the whistleblower statutes.

For the past three years, the personnel department has sent CDs to more 
than 80 agencies for every two-week pay period so the financial officers 
there can reconcile payroll against their own records. In that time, 
Personnel Director Todd Rich said, more than 13,000 CDs have been sent 
out.

What Elste discovered in June was that there was no system for tracking 
the CDs after they are sent, no system for getting them back or 
destroying them, and that the data on the discs wasn't even encrypted.

Rich said 97 percent of the discs have been recovered, but he confirmed 
that as many as 470 are still missing.

Elste said that should have prompted a "breach notification" to let all 
the employees in agencies with missing discs know their personal 
information may not be secure.

"We've lost personal information for many employees in the state," he 
told the hearing officer. "Either personnel or the attorney general's 
office should declare a breach."

"We haven't had any notification from anybody that, hey, my identity has 
been stolen," Rich said.

He said it will be the attorney general's decision whether to issue a 
breach notification. If so, he said, it will be done by the agencies 
with missing discs.

Going forward, he said, the system has been tightened to prevent any 
unauthorized people from getting employee information.

"It's on top of my list because we want to make sure foremost our 
employees' personal information is protected," said Rich, who has only 
been personnel director since May. "It concerns me greatly."

He said the CDs now require a password to read any data on them and 
employee identities will be protected because, beginning next week, the 
Social Security data will be replaced by a unique employee 
identification number. He said that took time to do because it required 
reprogramming the mainframe computer.

He said he has also implemented a system where the discs will be signed 
for and returned to the personnel department after each pay period.

"We have new policies for managing the process," he said. "We want to 
make sure we get this cleaned up."

Elste argues the state violated his rights by firing him for raising the 
issue. He said it was his job as head of information security for the 
state.

DOIT Director Dan Stockwell testified Elste was fired for poor 
management and lack of anger control. State officials say as a 
probationary employee, he has no rights to appeal that firing.

That issue will be decided by Kockenmeister after attorneys on both 
sides file their final briefs. His ruling is expected early next year. 
or changes in how those bi-weekly reports to state agencies are handled.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Tue Nov 13 2007 - 01:19:01 PST