IT officials in Contra Costa County, California have launched an investigation into how hundreds of internal e-mails containing private employee data were sent out inadvertently to a Swedish company.
The investigation was launched after Computerworld notified the county that Robert Carlesten, a 26-year-old managing director of internet company Ord&Bild, based in Sweden, could produce dozens of e-mails he said have been arriving at his internet.ac domain regularly for the past two years.
Carlesten said he tried to contact the senders of the e-mails on numerous occasions but received no reply.
In addition to a deluge of administrative communications from the county's Department of Information Technology and human resources director, the e-mails contain detailed discussions and attachments related to the payroll files for the county's Superior Court as well as current and former employee benefits.
Many of the e-mails, obtained by Computerworld, contained the names, employee numbers and benefits of Superior Court commissioners and other workers.
Tom Whittington, CIO of Contra Costa County, said the county became aware of the problem only after receiving calls from Computerworld. A preliminary investigation, he said, revealed that the problem was the result of some county employees using erroneous e-mail address books and wasn't caused by a virus or worm infection.
"We've started to take action to stop this, and I believe we have stopped it," said Whittington. "We shut off and blocked the internet.ac domain so our employees can't send any e-mails to that address."
Part of the problem, said Whittington, is that the county's naming structure includes ".ac" for the auditor controller's office. "Now we need to research who has the bad address book that has this address."
But that move poses a potential challenge for Whittington's IT administrators: Many employees have personal address books that are stored only on their PCs, making it impossible for the county's IT department to centrally update all address books.
Although Whittington said he has been advised by the county's chief information security officer that counties and cities are exempt from California's landmark identity-theft law, known as SB 1386, some legal analysts said the county may be required to notify those whose personal information was compromised.
SB 1386, which went into effect 1 July 2003, requires companies that do business with California residents to inform customers when their names, in combination with personally identifiable information, have been accessed by an unauthorised person. If Contra Costa County is required to follow the statute, it would be the first major test of the law.
Dan Verton writes for Computerworld