Following up on the apparent hacking of the Anderson County Courthouse’s main computer server, we have now heard from more county officials.
As we reported Tuesday, Law Director Jay Yeager issued a statement to all county employees informing them of a potential security breach of the courthouse’s main computer server. The memo was sent to all elected officials, school system employees, School Board members, Veterans Service members and county contractors and stated, in part that “the extent, type and amount of data compromised has not yet been fully determined; however, this may include your confidential personal identifying data.”
The breach was discovered late last week and reported to county officials and law enforcement and was discussed Monday evening by the County Finance Committee.
County Commission Chairman Steve Emert indicated in a message sent to officials and provided to WYSH that he would like answers from County Mayor Terry Frank as to what happened and how, and answers from Yeager as to how to proceed going forward. You can read his statement on our website as well.
Frank says that there are “multiple departments with multiple service contracts and vendors,” and that she is not in charge of all of the county’s computers, as some people have stated.
Mayor Frank, in an email responding to requests for comment, says that since learning of the breach she has been in contact with state officials and that she, too, is trying to “discern the nature or cause of the breach, if the contractor that serviced the county was the problem…so that employees [and] departments could be made aware,” but indicated she does not yet have that information. Frank also says that she has asked law enforcement officials for similar information “in order to prevent the further compromising of data, storage and confidentiality of Anderson County records.” She added that she has not yet received that information, either.
During Monday’s Finance Committee meeting, Yeager told committee members that “there is not doubt there is nothing this county could have done, as far as I know, that could have foreseen this.”
Frank says that she is taking the breach “extremely seriously and [hates] the anxiety it causes each and every one of us who might be affected.”
The information was released on Tuesday as county officials complied with an amended state law dealing with data breaches that requires notification to anyone whose personal information—encrypted or not–may have been compromised by a hacking incident.
(From http://www.workplaceprivacyreport.com/) On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005.
Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, and like the vast majority of states, Tennessee’s statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay. Florida, like the Volunteer State, previously amended its breach notification statute to also require notification within a set time period.
Perhaps even more important than the specific timing requirement for notice, S.B. 2005 also amends Tennessee’s statute to remove the provision in the existing statute requiring notice only in the event of a breach of unencrypted personal information. Accordingly, by expanding this provision, it appears Tennessee will be the first state in the country to require breach notification regardless of whether or not the information subject to the breach was encrypted.
Lastly, the bill also amends the statute to specify an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. This amendment is likely focused on entities which failed to provide notification of data incidents which were the result of improper access by employees.
Here is a link to the amended law itself: http://share.tn.gov/sos/acts/109/pub/pc0692.pdf