Georgia is scrambling to review its IT policies as it faces a class action lawsuit over the mistaken release of voters’ personal information.
On Nov. 20, Secretary of State Brian Kemp laid out a series of steps that the state is taking in the wake of the breach, announcing in a statement that he’s hired consulting firm Ernst & Young to perform an audit of Georgia’s IT practices and that he’s implemented “strict new rules” governing the security of voter information.
According to Kemp, a “clerical error” by an IT employee led to the inadvertent inclusion of personally identifiable information, including Social Security numbers, of millions of people on a statewide voter list. On Oct. 13, that information was then burned onto 12 discs and mailed to media organizations and statewide political parties as part of their agreements with the state to access demographic voter information.
Kemp said his office discovered the error on Nov. 13, but the breach didn’t come to light until two Georgia women filed suit against Kemp in Fulton County Superior Court on Nov. 17.
The complaint alleges that Kemp violated Georgia law by failing to notify people affected by the breach, and asks the court to order the state to provide full notification and “equitable relief to prevent future disclosures of personal or private information.” The suit also claims that the roughly 6.2 million voters affected are eligible for inclusion as plaintiffs.
Kemp claims that his office ensured the 12 discs were “retrieved or destroyed” by Nov. 19, and he’s confident that the groups that received them never “copied or otherwise disseminated” the data. He added that the employee who made the critical mistake was fired for “breaking internal rules” governing the information.
But as the suit makes its way through the legal process, questions persist over the state’s handling of the case.
Michael Smith, communications director for the Democratic Party of Georgia, told StateScoop his group was among those to receive a disc containing the information. Since the party lacks the necessary software to analyze the data on the disc, Smith said the mistake slipped past their notice until news broke about the suit.
Smith also claims that the party didn’t hear from Kemp’s office about the mix-up until Nov. 17, the day the suit was filed. In his statement on the breach, Kemp, a Republican who is seen as a contender for the 2018 gubernatorial race, alleges that state investigators began contacting the groups mailed the discs on the morning of Nov. 16.
“We found out because of the lawsuit that was filed, just like the rest of Georgia, and that’s really sad,” Smith said. “[Kemp’s] callous disregard for the safety and well being of voters in Georgia is simply staggering.”
Representatives from three other groups that received the data — the Georgia Republican Party, the Libertarian Party of Georgia and the “Georgia GunOwner” magazine — did not respond to requests for comment by StateScoop.
Smith said “a good start” to remedying the issue “would be to get a new secretary of state” but he’s also hopeful the suit presses Georgia to adopt more secure data practices to prevent future incidents.
However, John Hutchins, an Atlanta-based attorney with LeClairRyan that focuses on privacy and data security law, feels the suit’s requests for an overhaul of state policies may hit a snag.
“It’s hard for me to imagine a court just fashioning its own remedy outside of a regulatory agency requesting it,” Hutchins said.
Hutchins said a body like Federal Trade Commission could get involved and issue a consent decree calling for “certain remedial action,” but there’s no sign of that happening just yet.
Ken Rashbaum, the head of Barton LLP’s privacy and cybersecurity practice, is more optimistic. He said the court could find some precedent in civil rights cases, such as the controversial case in Yonkers, New York, when a federal judge ordered the city to revise its plans for building public housing units.
“A court could conceivably [lay out changes] then order the state to report back to the court on a periodic basis as to how the initiative is going,” Rashbaum said. “Whether the Georgia state court is going to want to get involved in that, I can’t say.”
But Rashbaum sees other problems in the case. He worries that the claim that the millions of people affected by the breach deserve inclusion as class action plaintiffs is “awfully broad,” and Hutchins added that there are “problems with class action lawsuits in data breach cases all over the country.”
Regardless of the success of the suit, Rashbaum said this breach could even prompt state lawmakers to get involved.
“They’ve got their statutes and they may to revisit them and see if they can be tightened a little bit,” Rashbaum said.