Disclosure law doesn’t cover misplaced documents

Posted on Jun 13, 2010 in Records Management News

12:59 AM Sun­day, June 13, 2010

HAMILTON — If a gov­ern­ment mis­places a pile of doc­u­ments con­tain­ing con­fi­den­tial infor­ma­tion in a Dump­ster, they don’t have to tell any­one. If they lose a pass­word pro­tected lap­top com­puter, state law requires pub­lic dis­clo­sure within 45 days.
That is why But­ler County wasn’t required to tell the 10,600 peo­ple poten­tially affected by a secu­rity breach in 2008 that their records may have been tossed in a pub­lic trash bin — where at least one mem­ber of the pub­lic saw it — accord­ing to the Ohio Attor­ney General’s Office.

“(The law) applies to data in a com­puter sys­tem, secu­rity breaches,” said Ted Hart, spokesman for the Attor­ney General’s Office, which is respon­si­ble for enforc­ing the pro­vi­sion. “The law is spe­cific to data theft and hack­ing and secu­rity sys­tems.”
The state law cre­ated in 2007 requires state agen­cies and their polit­i­cal sub­di­vi­sions that keep com­put­er­ized data to dis­close any breach of their sys­tem to res­i­dents made at risk of iden­tity theft or fraud.

The law gives agen­cies 45 days after they find a secu­rity breach to notify the pub­lic.
The law was cre­ated the same year a data stor­age device con­tain­ing infor­ma­tion about 64,467 state employ­ees was stolen from the car of an intern who worked for the state.
In response, the state paid $660,000 for all affected employ­ees to be given access to a free credit mon­i­tor­ing service.

‘The right thing to do’

Sim­i­lar laws also apply to some pri­vate agen­cies, such as hos­pi­tals. When Cincin­nati Children’s Hos­pi­tal dis­cov­ered a lap­top com­puter was stolen from an employee’s home in March, the hos­pi­tal had to send a let­ter noti­fy­ing more than 61,000 peo­ple.
The let­ter informs peo­ple that the lap­top con­tained names, med­ical record num­bers and hos­pi­tal ser­vices received. It did not include Social Secu­rity num­bers, tele­phone num­bers or credit card info, the let­ter says. The infor­ma­tion was password-protected, but not encrypted.

“While there is no evi­dence there has been an attempt to mis­use any of the per­sonal infor­ma­tion, Cincin­nati Children’s believes it is impor­tant to notify you,” the let­ter reads. “Cincin­nati Children’s is com­mit­ted to pro­vid­ing the high­est level of care for its patients and fam­i­lies and that includes pro­tect­ing per­sonal information.”

In addi­tion to the legal require­ment, hos­pi­tal spokesman Thomas McCor­mally said telling the pub­lic was “the right thing to do.”
“This is not the way that we like to do busi­ness, and we have staked our names and our rep­u­ta­tion around patient qual­ity and doing the right thing,” McCor­mally said. “When things like this hap­pen, it means we have to redou­ble our efforts and see what we can do to do even better.”

The hos­pi­tal also set up a hot line for those affected, and con­tracted with the Oregon-based com­pany ID Experts to pro­vide peo­ple with iden­tity theft pro­tec­tion.
“Obvi­ously, this is a big under­tak­ing to notify fam­i­lies and then go the extra step of offer­ing the credit pro­tec­tion that ID Experts will pro­vide,” McCor­mally said.
State law mum on com­mon mistake

In addi­tion to a lack of enforce­ment of such mat­ters, the state Attor­ney General’s Office says there is lit­tle in state law dic­tat­ing dis­posal of con­fi­den­tial records.
Pari Swift, senior records man­ager at the Attor­ney General’s Office, said there is noth­ing in state law that “specif­i­cally gov­erns the dis­posal of pub­lic doc­u­ments.”
“There are other fed­eral reg­u­la­tions that do spec­ify how cer­tain types of infor­ma­tion need to be dis­posed, such as HIPAA,” Swift said. “I’d rec­om­mend just being smart about it. If a doc­u­ment con­tains con­fi­den­tial infor­ma­tion, destroy it in a way that would com­pletely obscure that information.”

Although cities are required to cre­ate a reten­tion sched­ule for pub­lic doc­u­ments, lay­ing out exactly how long they will keep var­i­ous items on hand, she said noth­ing con­trols how they are dis­posed of out­side of that time period.
The Ohio His­tor­i­cal Soci­ety then receives those doc­u­ments for review, where they deter­mine whether a copy should be main­tained for “endur­ing his­tor­i­cal value,” Swift said. Once the His­tor­i­cal Soci­ety has a say, how­ever, Swift said gov­ern­ments can go ahead and dis­pose of the records any way they please.

In March, a mound of doc­u­ments from the city of Mid­dle­town was found to have been left in a pub­lic trash bin at Smith Park for weeks. Some con­tained Social Secu­rity num­bers, phone num­bers and car­bon copies of checks.
City offi­cials said they don’t know how it hap­pened, but they sus­pect the doc­u­ments started in a recy­cling bin, just as the county’s records did.
“Some­body made a mis­take and threw some­thing away that should have been shred­ded,” city Law Direc­tor Les Lan­den said at the time. “We do have a pol­icy and process for get­ting rid of con­fi­den­tial and sen­si­tive doc­u­ments, but that clearly was not fol­lowed here.”

A sim­i­lar inci­dent of pub­lic infor­ma­tion being improp­erly dis­posed of occurred slightly more than one year ago on June 26, when attor­ney William Bowen dumped stacks of busi­ness and real estate case files in a pub­lic trash bin.

Com­pli­ments of File­Man Research

Read More

Missing transfer orders ‘may take years’ to find

Posted on Apr 28, 2010 in Records Management News

Miss­ing trans­fer orders ‘may take years’ to find

By JULIET O’NEILL, Can­west News Ser­viceApril 28, 2010

Records of Afghan detainee trans­fer orders show­ing whether Cana­dian mil­i­tary com­man­ders took the risk of tor­ture into account are buried in sea ship­ping con­tain­ers and “may take years” to locate, the Mil­i­tary Police Com­plaints Com­mis­sion was told yesterday.

The rev­e­la­tion by Major Denis Gagnon emerged when he was closely ques­tioned by lawyer Paul Champ, who said the com­mis­sion is on the verge of decid­ing whether it has to sus­pend pub­lic hear­ings, partly because of miss­ing and delayed doc­u­ments from the Defence Department.

Gagnon said the doc­u­ments are “all thrown together in a stor­age bin, a sea con­tainer,” and an assess­ment of how long it would take to cat­a­logue doc­u­ments and iden­tify the records requested by the com­mis­sion may take years.

Ear­lier, a senior mil­i­tary offi­cial tes­ti­fied that some Afghan detainee doc­u­ments requested by the com­mis­sion have been delayed to ensure no infor­ma­tion gets out that could jeop­ar­dize the secu­rity of troops in Afghanistan.

“We know full well that Canada’s ene­mies are ready to use that kind of infor­ma­tion against our troops that are deployed there,” Brig. Gen. Richard Blanchette said. “That is why there have been cer­tain delays in pro­duc­ing those documents.”

The com­mis­sion was also told that Defence offi­cials are screen­ing out doc­u­ments that mil­i­tary police would not have seen in the course of their duties.

Gagnon said he makes the deci­sion on what mil­i­tary police would have seen based on his per­sonal expe­ri­ence and his knowl­edge of com­mu­ni­ca­tions chan­nels within the mil­i­tary chain of com­mand and com­mu­ni­ca­tions links with the For­eign Affairs Department.

Read more: http://www.montrealgazette.com/news/Missing+transfer+orders+take+years+find/2958734/story.html#ixzz0mPukzgUN

Read More