Submitted via IRC for Bytram
This seems so wrong on so many counts I am at a loss for [printable] words.
Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information
Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the state of Georgia has ruled (May 20, 2019) that the state government does not have an inherent obligation to protect citizens' personal information that it stores.
The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.
Thomas McConnell, whose details appeared on the spreadsheet, filed a putative class action against the Department of Labor, alleging negligence, breach of fiduciary duty, and invasion of privacy. That case has progressed through the legal system to the Supreme Court, and has been dismissed (PDF).
While the Supreme Court has not ruled that there can never be an obligation to protect citizens' data, it has ruled that the obligation is not automatic -- and in the McConnell case, there were no separate requirements to provide the obligation.
McConnell had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was 'negligence' -- dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell's claim that Georgia recognizes a "common law duty 'to all the world not to subject others to an unreasonable risk of harm'" (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.
Furthermore, the existing identity theft statute does not explicitly require anything from data storer, while the statute restricting disclosure of social security numbers only applies to intentional disclosures and not accidental exposures as appeared here.
The fiduciary duty claim was then dismissed because no public officer stood to gain from the incident, and there was no special relatoinship of confidence between McConnell and the Department.
Finally, the allegation of an invasion of privacy was rejected. The Supreme Court ruled that "the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department. This kind of information does not normally affect a person's reputation, which is the interest the tort of public disclosure of embarrassing private facts was meant to remedy."
[...] Venkat Ramasamy, COO of FileCloud, agrees: "Of course, public institutions should care and protect their stakeholders' data (I would say it is a reasonable expectation -- very similar to protecting the rights of personal property, freedom of speech and so on). I think it is high time to have federal privacy law which can be modeled after the California Consumer Protection Act (CCPA)."
Related: One Year on, EU's GDPR Sets Global Standard for Data Protection
Related: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection
Related: Marco Rubio Proposes New Federal Data Privacy Bill
Related: With No Unifying U.S. Federal Privacy Law, States Are Implementing Their Own
(Score: 1, Funny) by Anonymous Coward on Sunday May 26 2019, @03:06AM
The kind of stupid @#%$ that works on a government salary because they aren't Superman and are stuck doing some custom task that none of the existing databases can do or do easily, adding that functionality to any of the databases would take years of change requests, requirements gathering, approvals, project planning, project implementation, task assignments restarting as IT staff turnover, documentation, testing, bug fixing retesting, which is all likely to be rejected for a small 4,457 records, and all of that is moot because the database is going to be totally re-written in [insert irrelevant buzzword here] starting any day now and the higher ups expect it will only take six months and will, of course, include that functionality as well as the ability to slice bread.
So they use the tools they have available to them, which boils down to Microsoft Excel and possibly Microsoft Access. However, even if they have any idea how to use Microsoft Access, that treads awfully close to "programming", which is not their job unless they are part of the almighty IT Division, and could therefor even border on "using unauthorized software". So Excel it is.
And click the wrong button or not limit a list because there are zillion more things to do before the end of the day.