News: CJ Exclusives

Are state agencies waiting to disclose data breaches?

North Carolina lacks a blanket security disclosure policy that covers all state agencies

State agencies reported a record 250 data breaches, identity information thefts, and unauthorized disclosures of personal records in their custody in 2017.

But as public concerns about computer hacks, electronic system vulnerabilities, and personal data mismanagement mount, the question is whether state agencies notify victims in a timely manner or can delay alerts because of ambiguity in state law requiring disclosure “without unreasonable delay.”   

In one of the most recent incidents, the state Department of Health and Human Services discovered a data breach Sept. 27 but didn’t announce it until late on the afternoon of Nov. 24, when public attention largely centered on Black Friday shopping.

The agency issued a press release saying personal records of some 6,000 people were improperly disclosed, and those affected would get letters.

A spreadsheet containing personal information was sent in error to a vendor in an unencrypted email. The spreadsheet included names, Social Security numbers, and test results for about 6,000 people who underwent routine drug screenings for employment, intern, and volunteer opportunities at DHHS, the release said.

“I don’t have much more information than you do,” state Rep. Donnie Lambeth, R-Forsyth, said when asked for comment about the time lag in alerting victims. Lambeth is a co-chairman of the Joint Legislative Oversight Committee on Health and Human Services, and said lawmakers should get an update during a committee meeting Tuesday.

DHHS spokesman Cobey Culton told Carolina Journal DHHS took immediate steps “to manage and contain the incident, including coordinating with the vendor on the deletion and secure destruction of that information.”

An investigation was launched, arrangements were made to notify those affected, and notification letters and media release were  prepared.

Culton said notification letters were mailed “without unreasonable delay,” after those steps were taken, and the Attorney General’s Office was notified as required by law.

Who was responsible, how the blunder occurred, and whether personnel action was taken haven’t been revealed.

“Any disciplinary action taken regarding any individual employee is a confidential personnel matter,” Culton said.

Protecting the privacy and security of job applicants is a top priority, he said. DHHS has reviewed proper procedures with employees and continues to review its internal processes to ensure data is handled correctly to help avoid a future occurrence.

DHHS also is exploring additional technical controls to help facilitate employees’ use of encryption when emailing sensitive information, Culton said.

Data security experts have a range of beliefs on what top priorities to pursue when a data breach occurs. Many believe prompt notification of victims is vital.

Robert Ellis Smith of Providence, Rhode Island, is publisher of Privacy Journal and a nationally recognized data security expert. He advocates swift notification.

“I think preliminary notification of what is known about a breach ought to be made within two weeks, with more specific information to follow promptly,” Smith told CJ. Tardy notification can allow insiders to manipulate or improperly use information and prevent consumers from protecting themselves in a timely way.

Smith said states have different notification requirements.

States with hard-and-fast deadlines usually specify a 90-day deadline. Indiana and Connecticut both require reasonably prompt notification, and their attorneys general have said 90 days is excessive, Smith said..

“I think it’s important that personnel discovering a breach take some time to find out how many people are potentially affected, whether the leak is remedied, and whether the impact will be significant and/or harmful,” Smith said. The more information that is known, the more useful notifications are to the recipients.

North Carolina has no blanket security policy for data breaches that covers all state agencies, said Margaret Bizzell, a spokeswoman at the N.C. Department of Information Technology. But the department establishes standards for information technology security in all executive branch agencies and monitors compliance.

She declined to say whether DHHS taking two months to inform victims was reasonable.

The DHHS data release isn’t considered a security breach because there was no intrusion into the state’s systems where illegal use of the personal information occurred or is reasonably likely to occur, Bizzell said. It was classified as an unauthorized disclosure of information.  

Bizzell said state and federal laws vary on what is required to be reported, and that can depend on the type of data involved.

The Department of Information Technology provides assistance as needed to state agencies in performing forensics and data recovery when an incident occurs. The department works with agencies to develop strategies to thwart future occurrences, Bizzell said.

Bill Holmes, another Department of Information Technology spokesman, said the department tracks data incidents attributed to malware, information disclosure, theft/loss, system compromise, account compromise, and web defacements.

The number of incidents spiked from 144 in 2016 to 250 this year. They had been lower — 51 in 2015, 30 in 2014, and 44 in 2013.

“The numbers have increased in the past two years as our new chief risk officer has put increased emphasis on the requirement to report,” Holmes said. What must be reported as a security incident was clarified and expanded. For example, Ransomware and account compromises would not have been reported previously.