Georgia tries to contain fallout from data breach

Georgia Secretary of State Brian Kemp said Thursday that he fired a technology staffer and confirmed all data discs illegally disclosing the private information of more than 6 million voters had either been recovered or destroyed.

He also published on his website an official notice of the breach as required by state law. The notice gave fraud prevention advice and a hotline number within the Secretary of State’s Office for concerned residents to call — but no promise of credit monitoring

Kemp additionally sent a private letter to Georgia lawmakers that gave the most thorough review to date about how the problem happened — something the office has not made public. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgement of the problem.

He denied the disclosure was a breach of the state’s voter registration system.

“The system has been and remains secure,” he said. “I take full responsibility for this mistake.”

The sensitive data was sent out by Kemp’s office last month to 12 organizations who regularly subscribe to “voter lists” maintained by the state. The groups receiving the data included state political parties, news media organizations and Georgia GunOwner Magazine.

Kemp on Wednesday attributed the problem to a “clerical error.” The problem did not become public until two voters filed a class-action lawsuit Tuesday alleging a massive data breach.

“My staff has verified with the media outlets and political parties that received these discs that they have not copied or otherwise disseminated confidential voter data to outside sources,” Kemp said Thursday.

Nine of the 12 discs were physically retrieved by investigators, according to Kemp’s office. Officials said the other three were “confirmed” to have been disposed of by the recipients. When asked how legally binding those statements would be, David B. Dove, the office’s assistant deputy secretary of state and legal counsel, said: “We trust them.”

Clayton Wagar, the publisher and owner of the political blog, said in a post Thursday that he disposed the disk shortly after receiving it but that it hadn’t been destroyed.

“Since the data was public record,” he wrote, ” I never considered that a formal destruction and disposal process was necessary.”

According to the letter to lawmakers, the employee who was fired inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file on Oct. 6. The office then downloaded the file to discs and distributed those discs to the 12 organizations on Oct. 13.

On Oct. 14, the employee “corrected his mistake and removed the personal information. The employee never notified anyone of the change, or of the period when personal information was on the file,” Kemp’s letter to the lawmakers said.

New safeguards have been put in place to prevent this from happening again, Kemp said. Those measures include blocking employee access to voter data downloads for changes other than those made by the office’s chief information officer. A three-part check will also be required before a disc containing the statewide voter file can be released to the public.

“It is my top priority to protect the personal information of all Georgians,” Kemp said.

Voter data often included Social Security numbers and dates of birth “until states became more aware of distributing that kind of sensitive information,” said Michael McDonald, an elections expert who teaches political science at the University of Florida.

While third parties can legally buy the voter lists from the state, the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.

No one is suggesting the disclosure was positive, but McDonald said groups such as those who received the lists in Georgia aren’t typically up to a nefarious purpose such as hacking.

“The good news is while there could be some people who are using voter files for identify theft and other things, this was only one month’s worth of the data … and I think most likely the common users of this data aren’t so much motivated by that,” McDonald said.

Kemp’s stance, however, may have come too late for many affected by the disclosure, both politically and practically. Many were disturbed by what they felt was the state’s slow reaction to notify the public.

“How is this possible and why is it apparently acceptable that the state would not act?” said Todd Fedell, a registered voter affected by the breach.

Others wondered whether Kemp himself should face some sort of reckoning. At the very least, it’s made his handling of the problem a political issue — a concern that existed on both sides of the aisle.

“It is my hope that the Secretary of State’s Office restores the trust of Georgia voters, and takes the necessary steps to ensure such a data breach never occurs again,”Republican U.S. Rep. Doug Collins of Gainesville said in a statement.

“Data security is a primary concern across our country and here in Georgia,” said state Rep. Scott Holcomb, D-Atlanta. “We mandate that our businesses keep our information confidential. Yet, here we have our secretary of state wrongly releasing millions of records with private information.

“Candidly, I don’t understand how this could happen and there needs to be accountability,” Holcomb said. “No one in the private sector would keep his job after a breach like this. And I’ve always been taught that accountability starts at the top.”

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.