Disclosure law doesn’t cover misplaced documents

Posted on Jun 13, 2010 in Records Management News

12:59 AM Sun­day, June 13, 2010

HAMILTON — If a gov­ern­ment mis­places a pile of doc­u­ments con­tain­ing con­fi­den­tial infor­ma­tion in a Dump­ster, they don’t have to tell any­one. If they lose a pass­word pro­tected lap­top com­puter, state law requires pub­lic dis­clo­sure within 45 days.
That is why But­ler County wasn’t required to tell the 10,600 peo­ple poten­tially affected by a secu­rity breach in 2008 that their records may have been tossed in a pub­lic trash bin — where at least one mem­ber of the pub­lic saw it — accord­ing to the Ohio Attor­ney General’s Office.

“(The law) applies to data in a com­puter sys­tem, secu­rity breaches,” said Ted Hart, spokesman for the Attor­ney General’s Office, which is respon­si­ble for enforc­ing the pro­vi­sion. “The law is spe­cific to data theft and hack­ing and secu­rity sys­tems.”
The state law cre­ated in 2007 requires state agen­cies and their polit­i­cal sub­di­vi­sions that keep com­put­er­ized data to dis­close any breach of their sys­tem to res­i­dents made at risk of iden­tity theft or fraud.

The law gives agen­cies 45 days after they find a secu­rity breach to notify the pub­lic.
The law was cre­ated the same year a data stor­age device con­tain­ing infor­ma­tion about 64,467 state employ­ees was stolen from the car of an intern who worked for the state.
In response, the state paid $660,000 for all affected employ­ees to be given access to a free credit mon­i­tor­ing service.

‘The right thing to do’

Sim­i­lar laws also apply to some pri­vate agen­cies, such as hos­pi­tals. When Cincin­nati Children’s Hos­pi­tal dis­cov­ered a lap­top com­puter was stolen from an employee’s home in March, the hos­pi­tal had to send a let­ter noti­fy­ing more than 61,000 peo­ple.
The let­ter informs peo­ple that the lap­top con­tained names, med­ical record num­bers and hos­pi­tal ser­vices received. It did not include Social Secu­rity num­bers, tele­phone num­bers or credit card info, the let­ter says. The infor­ma­tion was password-protected, but not encrypted.

“While there is no evi­dence there has been an attempt to mis­use any of the per­sonal infor­ma­tion, Cincin­nati Children’s believes it is impor­tant to notify you,” the let­ter reads. “Cincin­nati Children’s is com­mit­ted to pro­vid­ing the high­est level of care for its patients and fam­i­lies and that includes pro­tect­ing per­sonal information.”

In addi­tion to the legal require­ment, hos­pi­tal spokesman Thomas McCor­mally said telling the pub­lic was “the right thing to do.”
“This is not the way that we like to do busi­ness, and we have staked our names and our rep­u­ta­tion around patient qual­ity and doing the right thing,” McCor­mally said. “When things like this hap­pen, it means we have to redou­ble our efforts and see what we can do to do even better.”

The hos­pi­tal also set up a hot line for those affected, and con­tracted with the Oregon-based com­pany ID Experts to pro­vide peo­ple with iden­tity theft pro­tec­tion.
“Obvi­ously, this is a big under­tak­ing to notify fam­i­lies and then go the extra step of offer­ing the credit pro­tec­tion that ID Experts will pro­vide,” McCor­mally said.
State law mum on com­mon mistake

In addi­tion to a lack of enforce­ment of such mat­ters, the state Attor­ney General’s Office says there is lit­tle in state law dic­tat­ing dis­posal of con­fi­den­tial records.
Pari Swift, senior records man­ager at the Attor­ney General’s Office, said there is noth­ing in state law that “specif­i­cally gov­erns the dis­posal of pub­lic doc­u­ments.”
“There are other fed­eral reg­u­la­tions that do spec­ify how cer­tain types of infor­ma­tion need to be dis­posed, such as HIPAA,” Swift said. “I’d rec­om­mend just being smart about it. If a doc­u­ment con­tains con­fi­den­tial infor­ma­tion, destroy it in a way that would com­pletely obscure that information.”

Although cities are required to cre­ate a reten­tion sched­ule for pub­lic doc­u­ments, lay­ing out exactly how long they will keep var­i­ous items on hand, she said noth­ing con­trols how they are dis­posed of out­side of that time period.
The Ohio His­tor­i­cal Soci­ety then receives those doc­u­ments for review, where they deter­mine whether a copy should be main­tained for “endur­ing his­tor­i­cal value,” Swift said. Once the His­tor­i­cal Soci­ety has a say, how­ever, Swift said gov­ern­ments can go ahead and dis­pose of the records any way they please.

In March, a mound of doc­u­ments from the city of Mid­dle­town was found to have been left in a pub­lic trash bin at Smith Park for weeks. Some con­tained Social Secu­rity num­bers, phone num­bers and car­bon copies of checks.
City offi­cials said they don’t know how it hap­pened, but they sus­pect the doc­u­ments started in a recy­cling bin, just as the county’s records did.
“Some­body made a mis­take and threw some­thing away that should have been shred­ded,” city Law Direc­tor Les Lan­den said at the time. “We do have a pol­icy and process for get­ting rid of con­fi­den­tial and sen­si­tive doc­u­ments, but that clearly was not fol­lowed here.”

A sim­i­lar inci­dent of pub­lic infor­ma­tion being improp­erly dis­posed of occurred slightly more than one year ago on June 26, when attor­ney William Bowen dumped stacks of busi­ness and real estate case files in a pub­lic trash bin.

Com­pli­ments of File­Man Research