Three weeks after acknowledging a massive breach of sensitive data effecting 6 million voters, Secretary of State Brian Kemp said it will be another week or more before Georgians can sign up for state-funded credit monitoring.
Kemp told lawmakers in a private letter that the state should start signing up Georgians for the free credit monitoring within the next 8-12 business days — a week before Christmas or during Christmas week.
Kemp updated lawmakers about efforts to deal with the massive data breach by his office in a letter, which was obtained by The Atlanta Journal-Constitution. Kemp told legislators he expects an internal investigation to be finished Friday.
“We hope to release a finalized report on our findings at the end of this week,” Kemp wrote.
He has said that a "clerical error" caused the breach, although the public release of the internal report would be the first full accounting from his office of what happened.
The breach included the release of Social Security numbers, birth dates and drivers’ license numbers. The Secretary of State’s Office did not immediately respond to requests for comment.
In the letter to lawmakers, Kemp said calls have slowed to a dedicated hotline in his office for voters who may have questions about the breach, which was made public Nov. 18.
“To date, we have received 680 calls,” Kemp said. Of them, “539 of those were in the first week. We currently average 18 calls a day with most callers asking if their information was included on the twelve discs and thanking the office for providing services through CSID.”
Kemp announced last week that he had hired the Austin, Texas-based CSID to provide voters a year of free credit and identity theft monitoring services, costing the state $1.2 million. Additionally, he said all Georgia voters in the breach whose identity was compromised will be eligible for identity theft restoration services if their identity is compromised over the next year.
Kemp also assured lawmakers over his hiring of Deloitte to do an independent audit of his office’s IT operations, policies, procedures, and system security. That effort will cost about $400,000. “I chose Deloitte to conduct the assessment because as an international professional services firm, they have specialized expertise with data release issues especially relating to government agencies,” Kemp wrote.
Officials discovered the breach Nov. 13, a month after they had mailed compact discs to 12 organizations that regularly request data updates to the state’s public voter files. The sensitive data appears to have been accidentally added to the discs. Kemp has said all 12 data discs have either been recovered or destroyed, and that the data were not disseminated.
One version of events leading up to the breach has come from an IT employee fired by Kemp for the gaffe. That worker, longtime state programmer Gary Cooley, has disputed Kemp's version of events and told the AJC he did not have the security access to add the data to a public data file.
Cooley instead outlined a more complicated series of missteps and miscommunication, both within the office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.
