Waukesha County job applicant data exposed in mailing
Technorati Tag: Security Breach
Date Reported:
7/13/08
Organization:
Waukesha County, Wisconsin
Contractor/Consultant/Branch:
Crivello Carlson, S.C.
Victims:
Job applicants from the year 2006
Number Affected:
"more than 130"
Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers
Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "
Reference URL:
Milwaukee Journal Sentinel
New Richmond News
Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel
Response:
From the online sources cited above:
Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.
The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.
She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.
She was calling, she said, because she wanted Thomas and others to know where she had gotten it.
She hadn't stolen it.
Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.
The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.
This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel
When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.
As part of the complaint and the investigation, the EEOC requested copies of all the applications.
The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?
Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.
When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.
Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.
The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.
She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.
"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."
The Waukesha County employment application specifically states it will protect Social Security numbers.
"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.
Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?
He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.
Several days later, Pollen said the EEOC had no such requirement.
"The EEOC is silent on the issue," he said.
Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.
"We followed the state's protocol," Pollen said.
P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?
Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.
Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.
"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."
Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.
I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.
Past Breaches:
Unknown
Date Reported:7/13/08
Organization:
Waukesha County, Wisconsin
Contractor/Consultant/Branch:
Crivello Carlson, S.C.
Victims:
Job applicants from the year 2006
Number Affected:
"more than 130"
Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers
Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "
Reference URL:
Milwaukee Journal Sentinel
New Richmond News
Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel
Response:
From the online sources cited above:
Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.
The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.
She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.
She was calling, she said, because she wanted Thomas and others to know where she had gotten it.
She hadn't stolen it.
Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.
The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.
This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel
When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.
As part of the complaint and the investigation, the EEOC requested copies of all the applications.
The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?
Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.
When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.
Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.
The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.
She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.
"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."
The Waukesha County employment application specifically states it will protect Social Security numbers.
"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.
Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?
He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.
Several days later, Pollen said the EEOC had no such requirement.
"The EEOC is silent on the issue," he said.
Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.
"We followed the state's protocol," Pollen said.
P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?
Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.
Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.
"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."
Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.
I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.
Past Breaches:
Unknown
Posts Atom 1.0
Comments