Iowa Land Records Association Posts SSNs…Including The Governor’s…On Their Internet Site

Okay, here’s another example of a ridiculously dumb privacy breach that occurred, in Iowa this time, through a government agency posting information on the Internet…


Breaking news: Land records removed from Web
As a brief summary, the Iowa land records site, IowaLandRecords.org, had posted a ton of personally identifiable information (PII), including the Social Security numbers (SSNs) for Governor Chet Culver and Secretary of State Michael Mauro.
The county recorders from each of Iowa’s 99 counties are responsible for posting mortgage and commercial land record documents to the site.

“Culver’s and Mauro’s Social Security numbers were redacted soon after the online story was posted but thousands of other records remained on the site until early this afternoon. Culver, on Tuesday, requested that all the records with personal information that can be used in identity theft be immediately removed.”

Three cheers for Governor Culver! To only remove the PII of elected officials and leave everyone else’s on the Internet would have been gross negligence.

“The records association proposed state officials allocate money for a comprehensive redaction project to remove Social Security numbers from the records. They said the money could be attained through temporary recording fees. That cost could be “in the seven figures” but exact estimates were not available, a spokesman for the group said.
Or, the group suggested increased security on the Web site by requiring registered users provide more information so it is known who is accessing the records.”

The first idea is a good idea.
The second idea is a horrible idea. There is no reason to give SSNs and other PII to individuals who have no business responsibility for that PII. Simply knowing who accesses PII is not a safeguard! Certainly access should be logged, but logging access to PII is appropriate for individuals who have authorized access to the PII because of business responsibilities, and to identify unauthorized access.
Knowing the potentially thousands of people who are accessing PII will not keep them from doing bad things with that PII.

Tags: , , , , , , , , , , , , , , , ,

Leave a Reply