BreachExchange mailing list archives
Vernon files suit in Social Security breach
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Mon, 25 Mar 2013 10:44:46 -0400
http://www.njherald.com/story/21777542/2013/03/23/vernon-files-suit-in-social-security-breach VERNON — Vernon filed a lawsuit against five individuals, who received from the township an email attachment that listed employee Social Security numbers, as well as The New Jersey Herald, which published a story about the incident. The lawsuit, filed by Kevin Kelly in state Superior Court in Newton on Friday, is seeking financial compensation, as well as stopping the individuals — Sally Rinker, Jesse Wolosky, Curious George (anonymous name), Lynn Van Gorder and Sandra Ooms — from disseminating the confidential information. The lawsuit stems from an incident reported in the New Jersey Herald on Friday about these individuals who made Open Public Records Act requests to the township for payroll information. Municipal Clerk Sue Nelson responded by sending an attachment that she believed redacted the Social Security numbers and other personal information, but those hidden columns in the document were still visible. Vernon is arguing in the lawsuit that the individuals and New Jersey Herald tampered with the documents to see this hidden column in an "intentional invasion of (employee's) privacy and constitutional rights." However, Judge Edward Gannon on Friday wrote in a statement of reason that "no irreparable harm is shown," and therefore, a temporary restraint that would have forced the individuals and newspaper to immediately delete the documents was not necessary. "The confidential information at issue was released by the government in a redacted form, which seems to have been inadequate to protect the employees," Gannon wrote. "Anyone misusing such information might be subject to criminal penalties and/or civil damages." Gannon also said that there is no reason to restrict the newspaper under these circumstances. Bruce Tomlinson, Herald executive editor and general manager, said: "Though we are pleased with Judge Gannon's statement that a restraint on the Herald under the circumstances presented is unwarranted, we are confounded as to why Vernon would take legal action against members of the public who received sensitive information mistakenly sent to them by the township itself. It seems Vernon's legal counsel is attempting to shift fault for their mistake." Herald Publisher Jack Findley said, "I think that by trying to place the blame on the recipients of these documents, Kevin Kelly's lawsuit is entirely frivolous. He should explain on what grounds he is pursuing this lawsuit which does nothing but waste the taxpayers' money and township resources. If Kelly is trying to divert attention away from himself, it looks like his tactic backfired." Jesse Wolosky and Sally Rinker are also arguing that the blame should instead be placed on Vernon, rather than on those who received the documents under OPRA. "Nelson and Vernon's attorney Kevin Kelly, who handle the OPRA requests, have made a serious blunder," Rinker said. "Their actions have breached the confidential information of Vernon's employees. Their allegation, that those of us who requested the public information are the ones at fault, is disturbing." Kelly did not return calls for comment on Friday or Saturday. Wolosky said that Nelson should have followed the proper procedure for making redactions in an OPRA request. The state's Government Records Council recommends on its website that a custodian of records, especially in cases involving Social Security numbers, should make a paper copy of the original record and manually black out the information with a dark colored marker. Then, it should be scanned and sent to the requestor via email. This helps show precisely what information is redacted, while the double copying also ensures that a requestor cannot see through the document, as is sometimes the case with a hidden category or white-out correction. "Techniques such as ‘hiding' text or changing its color so it is invisible should not be used as sophisticated computer users can detect the changes and potentially undo the ‘hiding' functions," the Government Records Council advises online. However, in this case, the information was also clearly visible, without having to undo a hidden function, when the document was opened by Wolosky through his private email account at the New Jersey Herald office on Thursday. Tomlinson explained, the court filing incorrectly indicates that the Herald received an email with the document attached. "We do not, nor did we ever, have possession of the information sent to any of the individuals. In our research of the issue, we only observed as one of the defendants accessed his personal email account and demonstrated how the supposedly redacted information could be seen." Rinker gave her "personal assurance" that the confidential information would not be used or disseminated. She immediately notified the clerk and others about the breach when she realized it. "If Kevin Kelly was so concerned for the employees of Vernon, why weren't the recipients of the confidential information contacted by him immediately?" she said. "The court document contains libelous accusations about innocent citizens who did nothing wrong. Thankfully, the judge saw it that way." Wolosky also said he would delete the record . "After Kevin Kelly stops blowing smoke, I will be deleting the attached file and signing a certification saying that I did so." Wolosky added that he will represent himself at the hearing and ask the judge to dismiss the case with prejudice. "It seems like a wonderful way to get billable hours out of Vernon Township." A similar incident happened in 2010 when Wolosky was sent Social Security numbers and other personal information about 400 Sparta school employees through an OPRA request. Wolosky was asked not to disseminate the information, which he complied with, but the Sparta Township School District took further steps of its own to provide fraud protection for seven years to employees and to inform vendors of the leak. Van Gorder also said she would not disseminate the information and was not even aware that the Social Security numbers had been provided on first glance at the document. She said that she requested the list of employee salaries on March 7 because her husband, Thomas Van Gorder, is appealing with the state Civil Service Commission over a layoff from the township in October 2011. She has been gathering information through OPRA requests for the case, but often is denied. "On Thursday, I did get an email from Sue Nelson that said that she was providing the employee census so I couldn't believe it, and I was happy," Van Gorder said. "But, I never in a million years thought it would turn into a big to-do over Sue Nelson's mistake." Van Gorder said she feels "victimized" and "harassed" over her husband's layoff and now this lawsuit. "I'm very upset because I can't believe this action is being taken against innocent people," she said. "In my eyes this is slander. The employee should just stand up and take the blame instead of dragging our names through the dirt." An order to show cause is now scheduled to be heard in state Superior Court on April 5 at 1:30 p.m. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Vernon files suit in Social Security breach Erica Absetz (Mar 25)