The Georgia Secretary of State acknowledged that last month his office improperly disclosed social security numbers and other private information for more than 6,000,000 registered voters in Atlanta due to a “clerical error.” Anyone in Georgia who is registered to vote (approximately 6.2M citizens) may be affected. The Secretary acknowledged that his office shares voter registration data on a monthly basis with various news media and political parties as required by Georgia law upon request. He indicated that due to a clerical error, twelve recipients of this data received a disk that contained personal information including social security numbers and driver’s license information that should not have been provided. Two class-action lawsuits have been filed alleging significant damages as a result of the breach. Information regarding the breach became public upon the filing of the lawsuits.
Georgia’s identity theft law, enacted in 2005, requires certain private businesses and state and local government agencies to notify affected consumers after a breach is discovered. On November 19, the state of Georgia provided notice to affected persons, describing among other things that the Secretary of State’s office took immediate corrective action, including contacting the recipients receiving the personal information and requesting them to return it. This breach is somewhat similar to a massive data breach reported in South Carolina in 2012 that exposed 3.8M social security numbers possessed by the South Carolina Department of Revenue. The state of South Carolina paid a credit monitoring company approximately $12M to provide credit monitoring for victims of the breach, a service apparently not being made available affected Georgia voters. South Carolina lawmakers also earmarked an additional $25M into the budget for an extra year of credit protection and to upgrade computer security for the state.
According to the Identity Theft Resource Center (ITRC) there have been a total of 669 data breaches to date in 2015 exposing nearly 182M records. The annual total includes 21.5M records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8M healthcare customer records exposed at Anthem in February. Of the data breaches to date in 2015, approximately 38.6% represents the business sector, 36% represents the medical/healthcare sector, 9.1% represents the banking/credit/financial sector, 8.5% represents the government/military sector and 7.8% represents the education sector. By comparison, the ITRC tracked the total number of 2014 breaches at 783, which was up approximately 28% compared with 2013.
Data breaches that require notification under federal and state mandates, which may include even some inadvertent disclosures, continue to happen. It is true that not all such breaches can be prevented, but in addition to taking steps to prevent these incidents, businesses need to be prepared to respond quickly and thoroughly should such an unfortunate incident occur.