Georgia Voter Information Data Breach Leads to Lawsuit
Two women have filed a class action lawsuit against the Georgia Secretary of State, Brian Kemp, after the Kemp's office released voter data that contained information including individuals' names, addresses, Social Security numbers, and even driver's license information.
Over six million Georgia voters could be affected by the breach. But it wasn't Russian hackers or disgruntled employees behind the #PeachBreach; it was simple, old-fashioned incompetence.
Don't Worry, Voters, And Don't Call Your Lawyers!
The breach occurred after the Secretary of States' office sent out routine voter information to state political parties and media outlets. According to the Atlanta Journal-Constitution, the office regularly releases registration information to dozens of groups, through the fairly antiquated method of mailing out CDs. But in the mid-October batch, that information included a host of personal, private details such as dates of birth and Social Security numbers.
The culprit was simple human error. The Secretary of State explained that the information was included in "a clerical error in the IT Division" and that all the disks had been recovered.
Kemp tried to quickly tamp down any fears. "The Georgia voter registration system was not breached," he wrote in a statement. "The system has been and remains secure, and I am confident no voter's personal information has been compromised." (The Secretary doesn't seem concerned that the CDs may have been copied or the private information otherwise taken and further disseminated.)
Those assurances haven't assuaged Elise Piper and Yvette Nancy Sanders, who quickly filed suit. They're seeking class certification covering all Georgia voters and claim that Kemp has not informed any voters or consumer reporting agencies of the breach.
When Is a Breach not a Breach?
Secretary Kemp, however, maintains that there was no breach. There was simply an accidental release of private, protected data.
That's a distinction without a difference, in our minds. First, employee negligence like the kind seen here, not hacking or theft, is the main cause of data breaches. Human error accounts for 36 percent of all breaches, according to a report by Baker Hostetler.
Second, the Secretary of State's computer system doesn't need to be compromised for there to be a data breach. The ABA Journal points out this insightful commentary by Clayton Wagnar of the Peach Pundit:
It's accurate for [Kemp] to say that the Georgia Voter Registration System was not breached. But that's not the full story. When we talk about a data breach, we're talking about the security and confidentiality of the data, not of any particular technology or process in place to protect it. Both the security and confidentiality of the personal information has in fact been breached -- including my own, and that of my family and friends.
Related Resources:
- IT Staffer Fired in Data Breach Affecting 6 Million Georgia Voters (Atlanta Journal-Constitution)
- Another Day, Another Data Breach: More Lessons for Lawyers (FindLaw's Technologist)
- The Cost of Data Breaches: It Ain't Cheap! (FindLaw's Technologist)
- What the Supreme Court's Spokeo Case Means for Privacy, Tech (FindLaw's Technologist)