Vernon files suit in Social Security breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.njherald.com/story/21777542/2013/03/23/vernon-files-suit-in-social-security-breach

VERNON — Vernon filed a lawsuit against five individuals, who received
from the township an email attachment that listed employee Social
Security numbers, as well as The New Jersey Herald, which published a
story about the incident.

The lawsuit, filed by Kevin Kelly in state Superior Court in Newton on
Friday, is seeking financial compensation, as well as stopping the
individuals — Sally Rinker, Jesse Wolosky, Curious George (anonymous
name), Lynn Van Gorder and Sandra Ooms — from disseminating the
confidential information.

The lawsuit stems from an incident reported in the New Jersey Herald
on Friday about these individuals who made Open Public Records Act
requests to the township for payroll information. Municipal Clerk Sue
Nelson responded by sending an attachment that she believed redacted
the Social Security numbers and other personal information, but those
hidden columns in the document were still visible.

Vernon is arguing in the lawsuit that the individuals and New Jersey
Herald tampered with the documents to see this hidden column in an
"intentional invasion of (employee's) privacy and constitutional
rights."

However, Judge Edward Gannon on Friday wrote in a statement of reason
that "no irreparable harm is shown," and therefore, a temporary
restraint that would have forced the individuals and newspaper to
immediately delete the documents was not necessary.

"The confidential information at issue was released by the government
in a redacted form, which seems to have been inadequate to protect the
employees," Gannon wrote. "Anyone misusing such information might be
subject to criminal penalties and/or civil damages."

Gannon also said that there is no reason to restrict the newspaper
under these circumstances.

Bruce Tomlinson, Herald executive editor and general manager, said:
"Though we are pleased with Judge Gannon's statement that a restraint
on the Herald under the circumstances presented is unwarranted, we are
confounded as to why Vernon would take legal action against members of
the public who received sensitive information mistakenly sent to them
by the township itself. It seems Vernon's legal counsel is attempting
to shift fault for their mistake."

Herald Publisher Jack Findley said, "I think that by trying to place
the blame on the recipients of these documents, Kevin Kelly's lawsuit
is entirely frivolous. He should explain on what grounds he is
pursuing this lawsuit which does nothing but waste the taxpayers'
money and township resources. If Kelly is trying to divert attention
away from himself, it looks like his tactic backfired."

Jesse Wolosky and Sally Rinker are also arguing that the blame should
instead be placed on Vernon, rather than on those who received the
documents under OPRA.

"Nelson and Vernon's attorney Kevin Kelly, who handle the OPRA
requests, have made a serious blunder," Rinker said. "Their actions
have breached the confidential information of Vernon's employees.
Their allegation, that those of us who requested the public
information are the ones at fault, is disturbing."

Kelly did not return calls for comment on Friday or Saturday.

Wolosky said that Nelson should have followed the proper procedure for
making redactions in an OPRA request. The state's Government Records
Council recommends on its website that a custodian of records,
especially in cases involving Social Security numbers, should make a
paper copy of the original record and manually black out the
information with a dark colored marker. Then, it should be scanned and
sent to the requestor via email.

This helps show precisely what information is redacted, while the
double copying also ensures that a requestor cannot see through the
document, as is sometimes the case with a hidden category or white-out
correction.

"Techniques such as ‘hiding' text or changing its color so it is
invisible should not be used as sophisticated computer users can
detect the changes and potentially undo the ‘hiding' functions," the
Government Records Council advises online.

However, in this case, the information was also clearly visible,
without having to undo a hidden function, when the document was opened
by Wolosky through his private email account at the New Jersey Herald
office on Thursday.

Tomlinson explained, the court filing incorrectly indicates that the
Herald received an email with the document attached.

"We do not, nor did we ever, have possession of the information sent
to any of the individuals. In our research of the issue, we only
observed as one of the defendants accessed his personal email account
and demonstrated how the supposedly redacted information could be
seen."

Rinker gave her "personal assurance" that the confidential information
would not be used or disseminated. She immediately notified the clerk
and others about the breach when she realized it.

"If Kevin Kelly was so concerned for the employees of Vernon, why
weren't the recipients of the confidential information contacted by
him immediately?" she said. "The court document contains libelous
accusations about innocent citizens who did nothing wrong. Thankfully,
the judge saw it that way."

Wolosky also said he would delete the record . "After Kevin Kelly
stops blowing smoke, I will be deleting the attached file and signing
a certification saying that I did so."

Wolosky added that he will represent himself at the hearing and ask
the judge to dismiss the case with prejudice. "It seems like a
wonderful way to get billable hours out of Vernon Township."

A similar incident happened in 2010 when Wolosky was sent Social
Security numbers and other personal information about 400 Sparta
school employees through an OPRA request. Wolosky was asked not to
disseminate the information, which he complied with, but the Sparta
Township School District took further steps of its own to provide
fraud protection for seven years to employees and to inform vendors of
the leak.

Van Gorder also said she would not disseminate the information and was
not even aware that the Social Security numbers had been provided on
first glance at the document. She said that she requested the list of
employee salaries on March 7 because her husband, Thomas Van Gorder,
is appealing with the state Civil Service Commission over a layoff
from the township in October 2011.

She has been gathering information through OPRA requests for the case,
but often is denied.

"On Thursday, I did get an email from Sue Nelson that said that she
was providing the employee census so I couldn't believe it, and I was
happy," Van Gorder said. "But, I never in a million years thought it
would turn into a big to-do over Sue Nelson's mistake."

Van Gorder said she feels "victimized" and "harassed" over her
husband's layoff and now this lawsuit.

"I'm very upset because I can't believe this action is being taken
against innocent people," she said. "In my eyes this is slander. The
employee should just stand up and take the blame instead of dragging
our names through the dirt."

An order to show cause is now scheduled to be heard in state Superior
Court on April 5 at 1:30 p.m.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.