Monterey County grand jury finds computer data risks

'Obsolete' protection policies expose county to lawsuits

June 21, 2014

Monterey Herald

By Julia Reynolds

SALINAS >> A civil grand jury issued a stern critique of Monterey County's ability to protect sensitive computer information, warning that delays in updating policies and procedures could expose the county to multimillion-dollar lawsuits.

The interim grand jury report was released Thursday.

"During the past eight or more years the Monterey County government has not devoted adequate attention to compliance with the California and federal privacy laws," the reports states.

It said the county "must now immediately change this attitude to strict attention and compliance if it is to avoid serious financial consequences for potential violations."

The investigation came about, the grand jurors wrote, after they learned of a March 2013 data breach at the county's Department of Social Services "on an old 200S computer health database connected to a California State network."

In that breach, "data was illegally accessed through state computers."

The grand jury decided a similar breach was unlikely to happen again, that the compromised data was very old, and that "the Social Services Department had appropriately notified the victims — albeit not as rapidly as contemplated by the privacy laws existing at the time."

But as it investigated that breach, the grand jury decided that county policies for protecting its data were "totally obsolete" and likely to run afoul of the latest privacy and data protection laws.

County counsel Charles McKee agreed that keeping up with the abundance of electronic privacy laws is critical as more county departments accept online credit card payments, whether for campsite fees at parks or tax collector payments.

"It's the expansion of services and the changing of the laws we have to respond to," he said. "That expands the data-use issues we have to be aware of."

The report asks county supervisors to immediately allocate additional funds to the county counsel and information technology offices.

Adding at least one full-time legal position to the County Counsel's office "is imperative at this point to help protect the county and its citizens," the report said.

The office "should promptly take all steps necessary to formally designate one of its lawyers as 'County Privacy Law Counsel' and to provide for that person's continuing legal education in this extremely complex area of the law."

And the county's information technology department, it said, should buy "various protective software packages that warn of impending attempts at data intrusion and stop them."

McKee agrees his office should have a dedicated privacy law expert, but added, "we're looking at whether it's something that we can handle with the current staffing level."

He said he appreciates the grand jury's "comprehensive" research and the thoroughness of its findings.

The civil grand jury always "makes people stand up and listen," he said.

While the report praised "the recent massive revision" of Monterey County privacy and security policies that's been underway for more than six years, it said the revised versions have not been disseminated widely enough throughout county agencies.

Grand jurors said they initially called county officials' attention to new laws governing data breach notice requirements that went into effect on Jan. 1.

In response, the report stated, the county's Board of Supervisors approved updated policies in May, an act the report commended.

" . . . Yet major efforts will still have to be made so that said policies are properly implemented and well understood by county staff," it said. "The required new technical software must also be installed, become operational, and then used properly."

The grand jurors spoke with "several well-known authors of published legal materials on the subject of privacy and security" and read expert reports from the International Association of Privacy Professionals to help determine where Monterey County stand in terms of cyber security.

The Board of Supervisors has 90 days to respond.

Julia Reynolds can be reached at 648-1187.