Files on abused children. Employee evaluations. Tax returns. A list of computer passwords. Names, addresses, birth dates and other information on hundreds of foster children and abused children. And, of course, Social Security numbers.
The information could hardly have been more sensitive — the raw material of identity theft and invasion of privacy — yet the State of New Jersey was about to turn it over to the highest bidder, the state comptroller, Matthew A. Boxer, reported on Wednesday. After the comptroller’s office reviewed computer equipment that the state was preparing to auction to the public last year, it found that 46 out of 58 hard drives, or 79 percent, still had data on them, much of it confidential.
Mr. Boxer’s investigation stopped that sale, but it points to the near-certainty that the state had already inadvertently released privileged information on thousands of people. The state sells or gives away hundreds of computers annually at several auctions, and Mr. Boxer said that as far as he knew, no outside agency had looked into the handling of the equipment before his office did.
“What happened before our auditors got there is obviously an issue of concern,” he said. “The risk here is enormous.”
His report said that one agency had a device that magnetically erased computer drives, but that employees did not like to use it because it was noisy. “I find that offensive,” Mr. Boxer said.
Informed of the security breach, the State Treasury Department, which manages surplus equipment, stopped auctioning computers last year. It is working on a new set of practices for handling them.
Reports of the exposure of private data have become common, each one leading to a round of warnings about identity theft. Computers are lost or stolen, people accidentally post information online, and people are tricked into revealing their secrets.
The Privacy Rights Clearing House, a nonprofit group, keeps a database of 2,380 such episodes over the past six years, including 453 releases by government.
“Public-agency breaches are disheartening because they have so much data, and much of it is sensitive,” said Beth Givens, director of the group. “Data stewardship should be the top priority for them.”
State offices send used equipment to a warehouse in Hamilton, near Trenton, which is supposed to notify every state agency that it is available. Anything unclaimed after 30 days is given to local governments or nonprofit groups, or is sold at auction.
But the comptroller’s office found that the warehouse staff often failed to follow the rules for notification, steering computers, cellphones and other equipment to favored people in and out of state government. The investigation stemmed from a 2007 inquiry into auction-rigging, theft and other violations at that warehouse, which led to the conviction of four employees.
Thirty-two of the hard drives Mr. Boxer’s team examined held information that should not be made public. Six of the drives had Social Security numbers, including those contained in personnel reviews found in an e-mail archive.
The computers came from the judiciary branch, the Department of Children and Families, the Department of Health and Senior Services, and the Office of Administrative Law. In some cases, no attempt had been made to erase files. In others, investigators were able to recover deleted files using commonly available software.
One laptop had apparently been used by a judge, and contained confidential memos the judge had written about possible misconduct by two lawyers, and the emotional problems of a third. The computer also had extensive personal financial information on the judge, including tax returns.
Another drive had been used by a high-ranking official under a previous governor — the report did not say which one — and included private contact information for other top officials.
A list of children supervised by the state included their birth dates and Medicaid numbers. Another gave their immunization records. And there were files on more than 230 investigations into reports of endangered or abused children, including their names and addresses.
0 comments:
Post a Comment