The Honolulu Star Bulletin reported today

"Records containing the names, Social Security numbers and birth dates of more than 40,000 individuals were illegally reproduced at a copying business sometime before January while they were waiting to be put onto a compact disc for the state.  State Attorney General Mark Bennett said federal authorities notified his office of the theft in January but asked that the information be withheld while an unrelated drug investigation was ongoing."

This illustrates one of the concerns with the loopholes in the existing and proposed breach notification laws; they allow law enforcement to delay notifications following such theft of personal information that can easily be used for identity theft and fraud, without providing any accompanying accountability to the law enforcement for the bad things that happen to the impacted individuals in the meantime. 

The information was withheld because of "an unrelated" drug investigation?  Someone, or perhaps several people, had 40,000 people's SSNs and birthdates, and law enforcement thought it was okay that they be kept in the dark because of the remote chance that an unrelated drug investigation may somehow be involved? 

Accountability to law enforcement should be written in with these loopholes.  Perhaps then it would not be such a seemingly flippant decision for law enforcement to restrict notification if they were responsible for fixing all the messes that resulted from the crimes that occurred with the stolen data during that wait time when the corresponding people were kept in the dark.

""We are taking this issue very seriously and strongly advise those affected ... to obtain and review their credit reports," state Attorney General Mark Bennett said yesterday in a news release. "Social Security numbers and other personal information can be used by thieves to obtain credit cards, to open fraudulent bank accounts, to mortgage property and purchase automobiles.""

They understand the risks, and yet they waited over four months to notify the individuals?  And now, they are advising them to obtain and review their credit reports?  They should at least be offering to pay for credit monitoring services for these people.  Again, organizations and law enforcement need to be more directly accountable for what happens to stolen personal data when they choose to delay notification.

"The records from the Voluntary Employees Benefit Association of Hawaii were set to be copied at NewTech Imaging in Honolulu when they were apparently illegally reproduced by one or more people, said Bennett's special assistant, Dana Viola."

This is another surprising risk that was taken; highly confidential data was taken to a local public copy store and left to be reproduced?  Why was such a decision made to leave highly sensitive data in the hands of an untrusted third party, in what appears to be a neighborhood copy store, where the public mills about?

"She could not say when the records were taken, but Bennett believes it was after February 2005.  Federal investigators learned in January that the records had been stolen, Bennett said. Police later found the data on a computer that had been confiscated as part of an investigation into drugs.  Russell Okata, HGEA's executive director, said the state is to blame for the theft because officials failed to "adequately protect the records" of the union's members."

The sensitive data should never have been taken to a public store and dropped off for duplication in the first place.  Organizations who collect and maintain sensitive data must be responsible for it at all times, especially when they choose to entrust it to other organizations, for whatever reasons, and they need to be accountable when bad things occur as a result of those decisions.

Technorati Tags
privacy
law
identity theft
identity fraud
breach notification