by Marc Kovac,
Capital Bureau Chief;
Columbus -- What's the best place to store the names and Social Security numbers of 64,467 state employees?
The answer, apparently, is in an intern's car, in an apartment parking lot.
That's where a data storage device of some sort was left earlier this month when some crook broke in and took it.
So said Gov. Ted Strickland and representatives from various state agencies during a press conference June 15 -- nearly a week after said incident occurred.
In response, the governor issued an executive order calling for stricter handling of agency data. The state also has launched a Web site and call centers and will offer theft protection services (at an estimated cost of $660,000) over the course of the next year to all affected employees.
On the plus side, Strickland said the data device was in a format that could not be easily accessed.
"We have no reason to believe that there has been a breach of security at this time," he said.
And he said there was little evidence that the device was targeted.
"We have no reason to believe that this was a theft that was specifically directed toward the security of this device," he said.
It's common for public agencies and private companies to regularly backup computer data, and it's standard practice to take copies of such data off site to ensure their availability in the event of a catastrophic event (say, a building fire).
It's difficult to fathom, however, how 338,634 electronic files stored in 24,333 folders in a data storage device could be entrusted to an intern -- and how that device could be left in a parked car during a weekend.
In hindsight, it also seems strange that the governor's office waited a full five days before informing employees about the theft.
Strickland and other agency officials said they needed time to assess the situation -- it took a couple of days to determine exactly what was on the data device.
"I don't want to alarm people unnecessarily," Strickland said, adding later, "The worst thing we could have done... is to give out information that we are not confident is accurate."
To his credit, Strickland issued executive orders discontinuing such handling of employees' personal information.
"All agency directors shall immediately review and begin updating existing information technology security policies and practices to make sure that the comply with the current statewide Office of Information Technology security policies," he wrote.
As for what's he doing to protect himself from identify theft:
"I am fairly confident that my information is on the tape, and I can tell you that I slept very well last night," he said, adding, "I am concerned, and I don't want to trivialize this or minimize this. But neither do I want state employees to be unduly alarmed.
"I think we're putting in place certain steps and doing as much as we can do to minimalize the risk and give assurance that if in fact their privacy was violated, we want to have in place protections for them. And that we've done, at no cost (to the individuals)."
Marc Kovac is the Dix Newspapers Capital Bureau chief. E-mail him at email@example.com. His Capital Blog can be found online at blogs.recordpub.com/capitalblog.