Opinion articles provide independent perspectives on key community issues, separate from our newsroom reporting.

Opinion

Voter data breach: What did officials know, and when?

That the state of Georgia inadvertently, and perhaps unlawfully, made public some very private information about more than 6 million of its citizens is unsettling enough. That state officials either withheld or were oblivious to that fact is worse.

The office of Georgia Secretary of State Brian Kemp confirmed Wednesday that it had disclosed Social Security numbers, and other personal identification of the state's registered voters, to 12 organizations that regularly purchase state voter lists.

Such purchases are completely legal and quite commonplace. But the information is supposed to be limited to such basic voter ID data as name and address, birth year, gender, voter registration number, etc.

In this instance, due to what Kemp called a clerical error involving data being placed in a wrong file, "personal identifying information" was sent to political and media organizations. And according to the Atlanta Journal-Constitution, the breach potentially affects every registered voter in Georgia -- about 6.2 million residents of the state.

Former Federal Trade Commission consumer protection specialist David Vladeck, now a law professor at Georgetown University, responded in an email exchange with the AJC that the situation is "a very serious breach involving a huge number of Georgia residents The types of information released -- especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) -- are very, very valuable to identity thieves."

Aside from the serious practical ramifications of this massive release of personal info, there's the issue of timing, which brings to mind the late Sen. Howard Baker's historic Watergate question: "What did the president know, and when did he know it?" The breach occurred more than a month ago; it became public knowledge two days ago, and only after the filing of a class-action suit by two registered voters who learned of the situation from one of the voter list purchasers.

It's entirely possible that the error came to the attention of Kemp's office at the same time. But there are critical, and still unanswered, questions about how the state will attempt to repair the damage. State law, the AJC reports, requires the government to notify those affected by a data breach "in the most expedient time possible," and any such event affecting more than 100,000 people requires an email alert, statewide media notification and a "conspicuous" notice on the responsible agency's website. This breach affects more than 6 million Georgians; yet as of Thursday, one IT employee in the Secretary of State's office had been fired, voters had not been officially notified, and Kemp continued to maintain that voters' personal information had not been compromised.

Given the number of eyes that could have seen these lists, and even giving his office the benefit of the doubt for an honest mistake, there's simply no way Kemp can know that.

This story was originally published November 19, 2015 at 3:59 PM with the headline "Voter data breach: What did officials know, and when?."

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER