Hello, Wisconsin: Wake Up on Data Security

Aug. 4, 2012 -- Gov. Scott Walker has earned a national reputation for his hack-and-slash approach to government spending. Working hand-in-glove with both Houses of the GOP-controlled legislature, the Wisconsin governor gutted the collective bargaining rights of public sector unions.

While tight with the purse strings when it comes to public employees and a self-proclaimed advocate for small business (though very well-funded by big business), apparently the Walker administration does support full employment for at least one group of workers who clearly don't rely upon collective bargaining: identity thieves.

Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department's website for almost three months before being removed.

There are some very disturbing trends here. First, the Walker administration doesn't seem to have any concept of what it's talking about when it comes to identity theft. Walker's appointee, Revenue Secretary Rick Chandler, clearly missed the boat when he said in a prepared statement: "We know the individuals who downloaded this file are using it for their own business purposes and have no malicious intent…"

Actually, Mr. Chandler, you know nothing. Sure, the report's intended audience was real estate appraisers and realtors. However, the curious thing about the Internet is that once something is posted on a free public site, it's out there for the entire world to see, and it may never be reeled back in. This means that one of those 138 people who downloaded this online "oops" could easily have been an identity thief, or may have accidentally or intentionally handed the document off to an identity thief, and there is absolutely no way for you or anyone else to know. You see, even assuming all 138 people who accessed the information were legitimate, who's to vouch for the security of the systems or networks they used? Once it's out… it's out.

The second disturbing thing about this data breach is that it demonstrates the government of the Great State of Wisconsin is continuing its grand tradition of negligence when it comes to protecting thepersonal identifying information of its citizenry. This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.Three of those breaches involved the Revenue Department.

In 2006, a private contractor working for the department mailed 171,000 tax booklets with taxpayers' Social Security numbers printed right on the front. That's a goof significant enough to make an identity thief fall to his knees and praise the Lord. While the state managed to intercept 54,500 of the botched booklets at post offices, that mishap still cost taxpayers $500,000 to cover one year's worth of credit monitoring services for victims of the breach.

Apparently, the department still didn't learn its lesson. In January 2008, it mailed 5,000 tax forms with taxpayers' Social Security numbers clearly visible through the envelope windows. Department executives tried to weasel their way out of responsibility by blaming the breach on the machine that folded the forms, instead of taking a hard look at the humans who ran the folding machine, or the humans in charge of reviewing the work of the humans who ran the machine that folded the forms. (And you thought that disasters only came in threes?)

That same month, the Wisconsin Department of Health and Family Services had a FUBAR of its own, when a private contractor mailed 260,000 booklets to Medicaid recipients in the statewith their Social Security numbers printed right on the front.

One reason this happened is that unlike its neighbors, Wisconsin still uses Social Security numbers as Medicaid ID numbers. Wisconsin Rep. Marlin Schneider, known by the catchy nickname "Snarlin' Marlin," called that practice "stupid." I couldn't have said it better.

So, for those keeping score, here's how to tell that the identity theft problem in Wisconsin isn't getting any better.The previous breaches either involved third-party vendors for the state, or a relatively small number of Social Security numbers leaked by the state itself. But this latest debacle was a whopper: Over 100,000 Social Security numbers have been potentially exposed to any fellow, well-intentioned or not, with a laptop or a smart phone. And it was committed by the Walker administration itself, not by some third-party operator in Plano, Texas.

Even after hundreds of thousands of innocent "Cheeseheads" have been exposed to identity theft and all manner of financial crimes; even after the state has spent (or will spend) more than $1 million on credit monitoring for victims (which doesn't really help anyway, since all the thieves have to do is wait a year plus one day to begin their wild spending sprees using the purloined Socials); Scott Walker's appointee had the audacity to imply that he believes the people of Wisconsin are safe.

I have a few suggestions for Mr. Walker that might help to make things right. Firing Secretary Chandler would be a good place to start. (I think you can do that immediately Governor, as I don't believe he is a member of the Civil Service.) He very clearly doesn't appreciate the importance of data security, or even how it works, and though I'm sure he's a nice guy, this is a weakness the citizens of Wisconsin cannot afford in that position. It would send an unequivocal message to the rest of Wisconsin's department heads that taxpayers' private data is of paramount importance, and must remain private. These data breaches must end.

Second, like most states, Wisconsin clearly needs tighter rules and procedures regarding protections for citizens' personally identifiable information (PII).

Governor, you have become a political icon for "right thinking" Americans, but when it comes to data security, your administration has to think smart and do what is right. Data like citizens' names, addresses, birthdates and Social Security numbers, functions like keys to the locks of the economy, opening doors to bank accounts, credit cards, car loans, mortgages, personal loans and all sorts of medical and criminal exposure. Sending that data through the mail, effectively embossed on the front of envelopes, or releasing it into cyberspace for all the world to see is like giving a drunk the keys to your Chevy and wishing them a safe trip home.

Finally, sir, I have a proposition. Because Wisconsin agencies have demonstrated a disturbing penchant for "billboarding" the PII of your citizenry several times over the past few years, it seems that it's time for you to get some help. There are plenty of companies out there that can help you evaluate the integrity of the Wisconsin Department of Revenue's security protocols and help you develop and implement a data breach preparedness and response program.

Full disclosure, I own a company that does this kind of work and I'd be willing to give you two weeks of consulting for free just to get you moving on this. However, even if you choose to decline my offer, I urge you to retain a qualified organization to thoroughly investigate the security systems and protocols in place throughout your government agencies. The citizens of Wisconsin deserve no less.

Adam Levin is chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.