Report from Public Safety Committee Meeting

Tonight, CM Michael Craddock, chairman of the Metro Council Public Safety Committee held a special called meeting to discuss the break-in at the Election Commission over the Christmas holiday. Guests of the committee were Nancy Whittemore of General Services, Sandy Cole from Information Technology Services and Ray Barrett from the Election Commission. The meeting was broadcast on Channel 3 and will likely repeat over the weekend if you want to catch it.

While there is no evidence that Social Security Numbers of 337,000 voters have fallen into the hands of people who are interested in fraud, the better-safe-than-sorry approach is for voters to notify one of the credit reporting services of the security breach. Metro has placed on the home page of the website some pretty helpful information. You will also get a letter in the mail from the Metro Election Commission about the security breach.

Metro has no plans (and no money) to pay credit reporting fees. At this writing Metro has not set up a customer hotline or call center to address voter inquiries. Council members have suggested they do this because a letter to 337,000 people is bound to generate at least a few calls. Bottom line for most people is that you need to keep an eye on your credit report for the near future.

Most people want to know how this happened. The answer is that it was the confluence of some pretty unfortunate decision making and communication. There is no burglar alarm at the Howard School building. The digital video recorders monitoring some areas of the building were disabled and had no alarms. General Services that oversees security said that they see their job as providing security for the building and the people who work there and visit. They apparently do not provide security for data inside the building as part of their mission. The security company, Wackenhut, that had the contract with Metro to provide building security sub-contracted to another firm. They only provided security 24 hours a day Monday through Friday. On weekends and holidays their contract only required security to be provided 12 hours a day.

The security guard on duty was listening to Christmas music and did not hear any noise during the break-in. He did not investigate Christmas decorations that were strewn on the floor. He did not make his rounds as required. It was not until this guard went off duty and was replaced by another on December 26 that the break-in was discovered.

Metro Election Commission staff left two laptops unsecured. Both may have complete social security numbers of 337,000 people. The laptops should not have been left out. The data on the laptops was not secured. ITS stated that it was not their responsibility to secure data. It was not their responsibility to enforce security policy - they simply made recommendations. It was pointed out that the Election Commission paid over $300,000 in fees for ITS services. Election officials were probably understandably confused about what that money actually bought them. It was also pointed out the ITS policy are written in such a way that suggests they are not optional. ITS's reponse was that they had no power to enforce these policies.

Thankfully, the Mayor's office has ordered a security audit from all departments and I think we will soon know what other departments might be at risk and what they are doing to prevent a similar occurance.