Wash. Courts Data Breach Exposes States’ Vulnerability

May 10, 2013 – In The News
Law360

Mark McCreary was quoted in the Law360 article "Wash. Courts Data Breach Exposes States’ Vulnerability." While the full text can be found in the May 10, 2013, issue of Law360, a synopsis is noted below.

The Washington state court system has revealed a data breach that compromised the Social Security and driver's license numbers of more than 1 million individuals, an incident that attorneys say highlights the vulnerability of state databases that are often not afforded the necessary resources to protect the valuable personal data they hold.

In a public statement, the Washington State Administrative Office of the Courts acknowledged that intruders had infiltrated its public website in the fall of 2012. While the the office originally believed that only nonconfidential information had been obtained, further investigations confirmed that at least 94 Social Security numbers were obtained and there is the "potential" that up to 160,000 Social Security numbers and 1 million driver's license numbers may have been accessed as well.

Attorneys said that, while the states desire to focus more closely on security moving forward is a good step, the damage has already been done, and that the state's good intentions may ultimately be undermined by a lack of resources that could be devoted to maintaining the security of private information.

"We're not talking about a large multinational corporation that just neglected to update its software," partner Mark McCreary said. "There are limited funds available to any sort of state or local government as far as protecting private information."

In order to protect personal information stored in massive databases like the one used by the Washington state courts from increasingly sophisticated and prevalent cyberattacks, entities need to devote resources to information technology personnel that will ensure that the computer software is up to date and that precautions like encrypting data and limiting the amount of information collected are taken, according to attorneys.

While the breach impacted court records, attorneys noted that the issue is not limited to the judiciary.

"It goes beyond courts, to places like the police department and local government," McCreary said. "If the Washington state court system couldn't get it right, what's going to happen with a small town's local government or police department that has the exact same information on its computer and has taken zero effort or doesn't have the funds to protect the data?"

While similar problems also exist at the federal level, the federal government has paid more attention to data security since a 2006 breach at the U.S. Department of Veterans Affairs exposed the personal information of 26.5 million individuals, and U.S. district courts generally make a more concerted effort to redact personal information, McCreary noted.

Still, courts remain an attractive target for the seemingly growing number of attacks orchestrated by identity thieves and other aspiring criminals, given that they hold personal information that is just as valuable as the data contained in any other public or private sector database, according to attorneys.