Phoenix, Arizona


Email Staff Writer Staff Writer on LinkedIn Staff Writer on Twitter Staff Writer on Facebook
Staff Writer
Staff Writer
Contributor •

Public Records Containing Social Security Numbers Readily Available in Arizona

Comments Off

Yesterday News Channel Five reported that some county records containing social security numbers and other confidential information are readily available for inspection by anybody with internet access which unfortunately presents criminals with an invitation to commit identity theft. How would you feel if your social security number has been published on the internet because it has been included somewhere in a public record? Even worse, in the Channel Five news story, when a citizen found that his social security number was readily available from the County Recorder’s Office and later tried to remove this information, the Recorder refused. Because the data involves public records, it has been placed in cyberspace without password protection or encryption. Data thieves do not need to hack into this database to steal it. Some state agencies disclose public records by mail only after redacting confidential and personal information. The federal privacy act and other privacy safeguards require removal of personal and confidential information from public records. Although the county has taken steps to remove confidential information for all new records, apparently it will take up to six months to remove social security numbers and other confidential information from remaining records.

Apparently without a direct request by the affected party, the County will not remove the records which have not yet been redacted from the internet during this interim six month time period. The County suggests that a six month delay is acceptable. However, because thieves can copy each and every single social security number on the web in six months, such a delay seems unacceptable. Instead, I believe that the county should take down its public database only for records which have not yet been redacted and add these records back to the database when redactions have been completed. In the meantime, over the next six months, rather than obtaining records via immediate internet access, people making public records requests would simply wait a day or two while employees redact confidential information and provide responses the old fashion way, by mail. Such protections seem reasonable considering that the alternative exposes hundreds of thousands of citizens to the unreasonable risk of identity theft. Perhaps if the County refuses to take such a step, legislation shifting the cost of possible identity theft breaches onto government agencies who do not take reasonable steps to protect data could give the county incentive to take these consumer protection steps. As I have mentioned in prior postings, according to the Federal Trade Commission, unfortunately Arizona has the highest number of per capita victims of identity theft in all states. Because we live in a high identity theft crime state, agencies and corporations alike must take reasonable steps to protect confidential information. Without providing a reasonable explanation, I believe it inappropriate to leave confidential data exposed on the internet and available for public inspection by anybody with a computer. Without encryption or password protection, such conduct seems outrageous. Because the County Recorder’s Office now suggests that upon request, it will take steps to remove information, you should probably consider conducting a search on the Maricopa County Recorder’s Office web site and if you see compromising information, request immediate removal of the private information by contacting the Recorder’s Office at 602-506-3535 or visiting the office in person at 111 S. Third Avenue in Phoenix.

What do you think about the County’s conduct? Do you believe our public records laws require that all information including social security numbers be released to anybody over the internet? Do you believe that our government should allow unlimited internet access to social security numbers and other personal information for another six months? Would a short-term delay of a few days be reasonable for the County to provide redacted records by mail rather than to allow immediate access to unredacted records, if such a minor delay minimizes risk of identity theft? Can you see important reasons to allow immediate access to public records while this six month transition takes place? Let me know your thoughts on this important issue.