Activists: States not doing enough to protect privacy

Fraud and ID theft cost Americans about $1.2 billion in 2007, the FTC said.

MADISON, Wis. (AP) — Tax forms were sent out to thousands of people in Wisconsin with their Social Security numbers on the mailing labels. A vendor hired by the state of Georgia lost a computer disk with the names and Social Security numbers of 2.9 million people. A disk with similar information disappeared in Rhode Island.

Though some of the biggest and most spectacular privacy breaches in recent years have happened at large corporations, state governments have also mishandled or failed to protect some of the sensitive information entrusted to them — data that identity thieves would love to get their hands on.

Yet most states don’t have statewide privacy officers in charge of safeguarding data, statewide policies on protecting sensitive material, or standing procedures for responding to breaches.

“This is an area that has not gotten much attention, and there’s a lot of sensitive information stored by states. It’s not well-protected,” said Robert Ellis Smith, publisher of the monthly Privacy Journal newsletter.

In many states, wills, deeds, divorce papers, death certificates and other public documents that contain Social Security numbers, birthdates, addresses and signatures are accessible via government Web sites for free or a small charge — or through hacking.

With a few mouse clicks, privacy activist Betty “BJ” Ostergren has found Social Security numbers of former Secretary of State Colin Powell, football star Joe Namath and former Florida Gov. Jeb Bush.

“Its just amazing to me that we’ve got this stuff and we are putting millions of people at risk,” Ostergren said.

Through her efforts, several states have blocked online access to certain records, or redacted information such as Social Security numbers.

Ostergren, who runs the Web site The Virginia Watchdog, said her goal isn’t to prevent people from seeing public documents, but to at least make it a little harder for them to do so, by making them go down to the local courthouse to pull files.

Over the past year or so, security breaches at the discount retailer TJX Cos., the Maine-based supermarket chain Hannaford Bros. and other corporations have exposed tens of millions of credit and debit card numbers and led to thousands of cases of fraud.

It is difficult to say whether states are better or worse than corporations at safeguarding private information, said Joanne McNabb, chief of California’s Office of Privacy Protection. The protections adopted by businesses aren’t as public as what governments are doing, she said.

According to one Web site that tracks data-loss cases, etiolated.org, since 2000 about 21 percent have come from state and federal government. The biggest share, 40 percent, comes from private businesses. The rest come from educational, medical or nonprofit sectors.

The Privacy Rights Clearinghouse, a nonprofit group that is pushing for better protection of information, lists hundreds of security breaches by government, universities and businesses. According to the group, more than 224 million records containing sensitive information have been involved in security breaches since 2005.

The Federal Trade Commission estimated that consumer fraud and identity theft cost Americans $1.2 billion in 2007.

The breaches in Rhode Island, Georgia and Wisconsin took place over the past two years and have not resulted in any reported cases of identity theft.

In a little more than a year, Wisconsin had three incidents in which Social Security numbers were viewable on mailings that came from the state or through a contractor.