Eric Roper reports that a lawsuit filed last week following a breach involving an employee of the Department of Natural Resources is not the only lawsuit in the works involving the state’s drivers license database:
A Star Tribune reporter received a letter in the mail from attorney Scott Kelly with Farrish Johnson. It notes that records from the state indicate that misuse of drivers records is “rampant.”
“We are looking at other agencies including the DNR where abuses occured,” the letter says. “If you are interested in pursuing a claim or would like information about your rights, please feel free to contact me.”
In the Rock County case, the firm found some of its 24 plaintiffs by placing an ad in the local newspaper. Kelly said Friday that they only sent letters to two people in relation to the DNR case.
After reviewing state records and filing open records requests, he believes that a minimum of 18,000 drivers records have been breached over the last three years.
Read more on the Star Tribune.
As much as I tend to discourage litigation as it is usually of little benefit to consumers, in cases where I see repeated breaches and the entity still hasn’t adequately hardened their security, I think it’s appropriate. The state has known for a while that they have a problem with authorized users exceeding authorized access. So what have they done to impose better access controls to prevent abuse?
If litigation is what it takes to get the state off the dime to deal with repeated problems, so be it. As I noted on DataBreaches.net, I’m not making any predictions as to any lawsuit’s chances. But if I lived in Minnesota, I’d be calling my state legislator to ask what the legislature is doing in terms of oversight of the Department of Public Safety to ensure and demand greater data protection and security for the driver’s license database. Imposing stiffer penalties on violators is not the same as preventing abuse.
In related coverage Roper reports that the employee involved in the Department of Natural Resources incident was a manager who oversaw training on data handling privacy:
Altogether, [John] Hunt made about 19,000 queries of the Driver and Vehicle Services (DVS) database over nearly five years — 11,800 of them while off-duty.
The agency, which had previously declined to release Hunt’s name, said Friday that it was performing a “top-to-bottom” review of DNR employee access to DVS data and “redoubling” employee training.
“This employee not only violated the law, but betrayed the trust of the agency, his supervisors, and fellow employees,” DNR Commissioner Tom Landwehr said in a statement.
There is no evidence Hunt sold or disclosed the information, but the massive breach spurred lawmakers this week to call for tougher penalties and more disclosure when public employees misuse government data. Two lawsuits, both seeking class-action status, have been filed in federal court by several of the 5,000 people who received data breach letters.
The DVS database, which contains photographs, addresses and driving records on Minnesotans with a license, is protected by state and federal law against illegitimate use. The agency fired Hunt on Jan. 11 and the Duluth city attorney is reviewing the case for possible criminal charges.
Ninety percent of Hunt’s queries were for females, the agency said. The lookups included local celebrities, politicians, judges, athletes, television news people, state employees and “victims of various tragedies,” according to Hunt’s disciplinary letter and an investigative report. Several Star Tribune reporters were among the 5,000 lookups.
Read more on Star Tribune.