By Geoff Dornan
Appeal Capitol Bureau
November 10, 2007
More than 470 CDs containing payroll information about state workers,
including their Social Security numbers, have been either lost or stolen
over the past three years.
The discovery has prompted major changes in how those bi-weekly reports
to state agencies are handled
The issue was raised by former Department of Information Technology
security manager Jim Elste who says his efforts to make the state tell
workers their personal data may have fallen into the wrong hands caused
him to be fired from DOIT.
He made the argument during four days of hearings before Administrative
Hearing Officer Bill Kockenmeister. Elste is appealing his termination,
saying he is covered by the whistleblower statutes.
For the past three years, the personnel department has sent CDs to more
than 80 agencies for every two-week pay period so the financial officers
there can reconcile payroll against their own records. In that time,
Personnel Director Todd Rich said, more than 13,000 CDs have been sent
What Elste discovered in June was that there was no system for tracking
the CDs after they are sent, no system for getting them back or
destroying them, and that the data on the discs wasn't even encrypted.
Rich said 97 percent of the discs have been recovered, but he confirmed
that as many as 470 are still missing.
Elste said that should have prompted a "breach notification" to let all
the employees in agencies with missing discs know their personal
information may not be secure.
"We've lost personal information for many employees in the state," he
told the hearing officer. "Either personnel or the attorney general's
office should declare a breach."
"We haven't had any notification from anybody that, hey, my identity has
been stolen," Rich said.
He said it will be the attorney general's decision whether to issue a
breach notification. If so, he said, it will be done by the agencies
with missing discs.
Going forward, he said, the system has been tightened to prevent any
unauthorized people from getting employee information.
"It's on top of my list because we want to make sure foremost our
employees' personal information is protected," said Rich, who has only
been personnel director since May. "It concerns me greatly."
He said the CDs now require a password to read any data on them and
employee identities will be protected because, beginning next week, the
Social Security data will be replaced by a unique employee
identification number. He said that took time to do because it required
reprogramming the mainframe computer.
He said he has also implemented a system where the discs will be signed
for and returned to the personnel department after each pay period.
"We have new policies for managing the process," he said. "We want to
make sure we get this cleaned up."
Elste argues the state violated his rights by firing him for raising the
issue. He said it was his job as head of information security for the
DOIT Director Dan Stockwell testified Elste was fired for poor
management and lack of anger control. State officials say as a
probationary employee, he has no rights to appeal that firing.
That issue will be decided by Kockenmeister after attorneys on both
sides file their final briefs. His ruling is expected early next year.
or changes in how those bi-weekly reports to state agencies are handled.
Visit InfoSec News