Election commission breach leads to better e-security

Sunday, April 11, 2010 at 11:45pm

When a pair of Dell Latitude laptops disappeared from the headquarters of the Davidson County Election Commission in the final days of 2007, the result of a rock-through-the-window job by a man later identified as Robert Osbourne, chatter about e-safety whirred like a shoddy hard-disk drive in the office of Mayor Karl Dean.

That’s because the Social Security numbers of every registered voter in the county, or about 337,000 people, were on those laptops.

Less than two weeks after the theft, the message from the mayor’s office was authoritative, if a little curt: It had consulted outside professionals to look into further securing sensitive data. It had found other lapses in technology security, some as laughable as passwords taped to the computers they were supposed to unlock. The subtext was also rather clear: It should’ve been on top of the situation before, but you’d better bet Metro was getting on top of it now.

The laptops were recovered within a month, but the blame game had begun instantly. Metro demanded reparations from the security firm it hired to protect such things, eventually filing suit. The city offered a year of identity-theft protection to those whose security was breached (remarkably, only some 56,000 took advantage). Several citizens filed a class-action lawsuit against the city. All told, the gaffe cost Metro government $822,384.10, of which it recovered nearly half from the Wackenhut Corporation after settling the lawsuit.

Fast-forward to a few weeks ago, when Dean sat through four grudging days of budget hearings, all of which contained some element of doom, given that he had tasked his department heads with finding ways to slice 7.5 percent from their budgets.

Keith Durbin was there. In fact, the head of Metro’s Information Technology Services had already submitted a couple requests: first, that the mayor establish a hierarchy for technology security, which he did via an executive order; and second, that ITS be allotted roughly $150,000 to hire a full-time chief information security officer, a sort of overseer and modern-day maintenance man.

The latter is still up in the air.

“[The mayor is] considering each department’s requests and will present the budget to the Metro Council at the end of April,” Deputy Mayor Greg Hinote said. “That said, the mayor recognizes the importance of information security and has made it a priority to find a way to fund the … position.”

More than two years after what is likely the biggest security breach in Nashville’s e-history, city government seems to have figured out how to protect your information. But, as any techie will tell you, that changes almost every day.

Constantly changing landscape

Durbin was a Metro Councilman in District 18 when the laptops were stolen. He worked behind the scenes with city government to issue a meaningful first response, and when his predecessor retired that September, Durbin was tapped to head ITS.

He told The City Paper that at the time, there was no comprehensive security policy in place. Some, like Metro police and the sheriff’s office, are self-contained because the nature and sensitivity of the information they maintain is quite different from, say, Metro Parks, according to Hinote. In essence, though, too many departments were conducting IT security autonomously, and there was no formalized response system in the case of an emergency.

“This information security initiative is the one real mandate I got when I was offered the job,” Durbin said. “It’s been the No. 1 priority for this department, for sure, since I walked in the door.”

The executive order Dean issued on March 26 creates a new position — chief information officer — which will be filled by the sitting ITS director; a blanket, Metrowide IT security policy like what Durbin initially recommended; and a seven-member advisory board to study and monitor its implementation.

That doesn’t mean ITS will begin managing tech security for all departments. Think of it this way: There is now a checklist by which each department should abide to maintain the highest level of security for the time.

And there’s the rub. While Nashville appears to be on par with comparable city governments in terms of e-security, it still lags behind most private companies of similar size and scope.

As well, every regulatory change brings about a new tweak to e-security — consider the effect when the federal government changes health-patient privacy rules, for example. And Google has recently shown its blemishes in an intelligence dustup with China, reminding the world that even the foremost innovators are susceptible to the rising tide of cyberterrorism.

“We’re in a time where personal information is readily stored in electronic form, and I believe it’s especially incumbent upon us, as a government, to make IT security a priority — both for the public’s peace of mind and our ability to function,” Dean said. “It’s unfortunate that it took an incident at the election commission to bring this issue to the forefront. But it has given us the opportunity to ensure that our policies are based on the highest industry standard, and possibly prevent an even worse situation from occurring in the future.”