COLUMBUS – Governor Ted Strickland said today that the names and social security numbers of all 64,467 state employees were contained on a computer back-up device that was stolen on Sunday, but also emphasized that the data would be very difficult for a thief to access.
“I have asked the Ohio Highway Patrol to lead the investigation to recover the device,” Strickland said. “Also, I have directed the Department of Administrative Services to secure the opportunity for state employees to access free identity theft prevention and protection services for one year.”
It was determined the device contained personal employee information after reviewing 338,634 files in 24,333 folders over four days.
Tuesday it appeared that some of those 338,634 files might have contained names and social security numbers. After two days of review, it was determined that the names and social security numbers for all state employees were on the device.
DAS Director Hugh Quill notified state employees this morning via email. The governor also said a letter will be sent to each employee’s home, and a website will go live today at
www.ohio.gov/idprotect to provide ongoing information for employees and the public regarding the situation.
Because the data was contained on a specialized medium, Strickland said it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so.
The theft of the device happened when a state intern’s car was broken into. Electronic data management standards at the intern’s worksite call for one set of backup data to be stored off-site and the intern had been inappropriately designated to store the data at his home.
The governor has ordered the cessation of this data management practice, a review of the events that led to the data being compromised, and will take appropriate disciplinary action when the facts are known.
The governor has directed by executive order that state information technology managers immediately review, and if necessary change, the procedures for handling back up information to ensure that information is secure at all times.
The executive order is below:
Executive Order 2007 – 013S
Improving State Agency Data Privacy and Security
1. Data Privacy and Security are Critical. Ohio’s state agencies have the responsibility to carefully safeguard the sensitive personal information of state employees and other Ohio citizens that is in their possession. Proper management of social security numbers, financial institution account numbers and other similar sensitive personal information respects the privacy of those individuals associated with that data and helps protect against identity theft and other misuse of personal information.
2. Enhanced Data Privacy and Security Measures Are Needed. In order to properly protect personal data held by Ohio’s state agencies, I am ordering the following:
a. The Chief Privacy Officer at the Office of Information Technology will be responsible for coordinating the implementation of improved data security measures.
b. Within seven days, all agency directors shall designate a Data Privacy Point of Contact (DPPOC) and notify the Chief Privacy Officer of that designation.
c. All agency directors shall immediately review and begin updating existing information technology security policies and practices to make sure that they comply with the current statewide Office of Information Technology security policies. Within sixty days, the DPPOC at each agency shall provide a report to the Chief Privacy Officer detailing the state of compliance at their respective agencies and the steps and time necessary to achieve compliance.
d. In recognition of the significance of the Ohio Administrative Knowledge System (OAKS) to the information technology infrastructure of Ohio’s state government, the Chief Privacy Officer shall, within one week, assure the commencement of a comprehensive, independent third party security assessment of OAKS’ compliance with the current statewide Office of Information Technology security policies and internal agency policies and procedures. That assessment shall be completed within forty-five days and within thirty days thereafter, the Chief Privacy Officer shall provide a report to Ohio’s Chief Information Officer detailing OAKS’ state of compliance and the steps and time necessary to achieve compliance.
e. Within seventy-five days, the Chief Privacy Officer shall develop a privacy impact assessment protocol that will analyze how certain data is handled by state agencies. In particular, the assessment protocol will: (i) scrutinize the extent to which agencies handle information in a manner that conforms to state and federal legal, regulatory, and policy requirements regarding privacy and security, (ii) determine the risks and effects of information collection, maintenance and dissemination in their respective electronic information system, and (iii) examine and evaluate protections and alternatives for handling information in order to mitigate potential risks. Upon its distribution to them by the Chief Privacy Officer, the DPPOC at each agency shall be responsible for immediately beginning the utilization of the privacy impact assessment protocol.
f. Within seventy-five days, The Chief Privacy Officer shall develop a data encryption protocol that establishes the data that should be maintained in encrypted form (like social security numbers or financial account information), the circumstances in which such data should be encrypted (like data kept on a laptop or other portable device), and the encryption strength and standard to be utilized. Within seventy-five days thereafter, the DPPOC at each agency shall provide a report to the Chief Privacy Officer detailing the steps and time necessary to implement the data encryption protocol.
3. I signed this Executive Order on June 15, 2007 in Columbus, Ohio and it will expire on my last day as Governor of Ohio unless rescinded before then.
____________________________
Ted Strickland, Governor
ATTEST:
____________________________________
Jennifer Brunner, Secretary of State