The Atlanta Journal-Constitution (AJC) reports that two Georgia women, Elise Piper and Yvette Sanders, “have filed a class action lawsuit alleging a massive data breach by Secretary of State Brian Kemp” affecting the personal information – including Social Security numbers – of Georgia’s 6.2 million registered voters.
In a statement, Mr Kemp said:
“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law.
“Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters personal information.
“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error.”
State data breach notification law
Enacted in 2005, Georgia’s data breach notification law requires entities – except for certain governmental agencies – that collect and process personal information to inform Georgia residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
The lawsuit alleges that “Kemp has not notified a single Georgia citizen that his or her information may have been compromised”.
Democratic Party of Georgia chair DuBose Porter said was quick to condemn Mr Kemp, saying:
“This wasn’t hacking. This is a government official — Brian Kemp — distributing the personal identification information of over six million Georgians. My privacy has been compromised, and yours probably has as well. It’s been over a month, and not a single voter has been notified — it took a lawsuit for Georgians to learn that their information has been compromised.”
Combating ‘clerical errors’
The international standard ISO 27001 sets out the requirements of an information security management system (ISMS), which provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls.
An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats an organization actually faces, thereby limiting the threats posed by ‘clerical errors’, inadequate procedures and out-of-date software solutions – among others.
Implementing an ISO 27001-compliant ISMS and achieving registration to the Standard can, however, be a complicated undertaking. ISO 27001’s documentation requirements can run to thousands of pages, which on their own would take days if not weeks to create. But what if an expert could write all of those documents for you?
IT Governance’s ISO 27001 Documentation Toolkit provides all of the ISMS documents you need in order to comply with ISO 27001, including 11 policies, 66 procedures, 24 work instructions, and 36 records, plus an Information Security Manual and additional guidance, all of which can be customized to suit your organization with a single click.
And thanks to our Cyber November offers, if you order your ISO 27001 Documentation Toolkit before November 30, you’ll get a copy of Nine Steps to Success – An ISO 27001 Implementation Overview (list price $37.95) absolutely free.