Did the Georgia Secretary of State release the social security numbers, driver’s license numbers, and dates of birth of every registered Georgia voter? Those are the allegations first made by putative class representatives, Elise Piper and Yvette Sanders, in a recently filed Fulton County Superior Court lawsuit and confirmed by recent statements by the Secretary of State. For its part, the Secretary of State attributes the data leak to a “clerical error,” which it alleges involved the dissemination of CD-ROMs containing extraneous data to only 12 recipients and that the disks are in the process of being recovered. Piper and Sanders also allege that, despite being on notice of the leak, the state failed to notify the affected voters, or credit reporting agencies, in violation of the Georgia Personal Identity Protection Act of 2007 (GPIPA). Nonetheless, as troubling as the release of this information may be to voters – who may be dubious that the leak has been contained and concerned about the risk of identity theft or fraud – as a legal matter, it is unclear what, if any, remedy is available to plaintiffs.
The Data Leak
Per the complaint, the social security and driver’s license numbers were collected as part of the voter registration process. However, the suit alleges that although the voter registration process only required the last four digits of each voter’s social security number, the Secretary of State nonetheless maintained “each voter’s complete social security and driver’s license number.”
Some voter identification information, such as names and addresses – but not social security and driver’s license numbers – is regularly maintained in a “Voter File” which is routinely provided on CD-ROM to media members and political parties free of charge. The Voter File was also available to the general public for a $500 fee. However, plaintiffs allege, when the October 2015 Voter File was distributed, it not only contained standard voter identification information but also the social security number, driver’s license number, and date of birth for all 6,184,281 registered Georgia voters.
The Georgia Personal Identity Protection Act
Legally, the type of data released is a distinction with a difference. The GPIPA – like many similar state data breach notification statutes – defines “Personal Information,” in relevant part, as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements” including a “social security number” or “driver’s license number.” Thus, while the dissemination of the standard Voter File containing voters’ names and addresses alone likely did not constitute a release of protected “personal information,” the alleged release of that information in conjunction with social security and driver’s license numbers could be deemed a breach.
Of course, even if the information was – as it appears to be – “Personal Information,” that is not the end of the inquiry. Other key questions include whether the Georgia Secretary of State is an “information broker or data collector” subject to the Act, whether the release of the information was a “breach of the security of the system” within the meaning of the Act, and whether the state failed to comply with the notice requirements of GPIPA.
Based on what we know, it would appear the answers to the first two questions are “yes.” The GPIPA defines a “data collector” to include state agencies and actors as long as they are not maintaining records “primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.” Assuming the Secretary of State cannot meet any of these exceptions – as seems likely – they are a “data collector.” Likewise, the act defines “breach of the security of the system” to mean “unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.” Again, based on the available information, this definition would appear to have been met by the dissemination of the personal information to media and political parties. That said, the Secretary of State may argue that the release of the information to a mere dozen people, followed by prompt efforts to recover the disks and contain the leak, did not jeopardize “the security, confidentiality, or integrity of personal information.” Of course, the fact that plaintiffs’ counsel apparently ended up with one of the disks undermines these arguments.
Turning to the next question,
Continue Reading Class Action Exposes Massive Data Leak Of Social Security and Drivers’ License Numbers of Every Registered Georgia Voter; Secretary of State Admits “Clerical Error”