Legislative auditor probes DNR data breach
Published 4:45 pm Saturday, January 19, 2013
MINNEAPOLIS — Minnesota’s legislative auditor said Friday he’s investigating a data privacy breach at the Department of Natural Resources in which an employee accessed the driving or motor vehicle records of about 5,000 people without authorization.
That list includes several journalists, attorneys and government employees, and possibly some legislators.
The DNR announced the breach Tuesday, saying the employee was no longer with the agency, and that it found no evidence the data was sold, disclosed to others or used for criminal purposes. The agency also said the state Bureau of Criminal Apprehension was investigating the breach, but no charges had been filed.
Legislative Auditor Jim Nobles declined to say what he has learned so far about the breach. The DNR has declined to release the employee’s name or his or her position within the agency.
“We are following up with the Bureau of Criminal Apprehension to have a good understanding of what they have already done and what they need to do further,” Nobles said, adding that his office doesn’t want to interfere with or duplicate the investigation into potential criminal charges.
Officials haven’t said why the former employee accessed the records, but the DNR sent notifications this week to the 5,000 affected Minnesotans.
Several journalists received the letters, including two Associated Press reporters and reporters at Twin Cities newspapers and television stations. Several lawyers, court personnel and state government employees also have said they received the notices.
It’s not clear whether the former DNR employee accessed their records as part of any pattern or just by coincidence.
Rep. Rick Hansen, DFL-South St. Paul, sent Nobles a letter Thursday saying it would be prudent for him to investigate.
Hansen said he became concerned when he started seeing reports that the breach included reporters, and he later heard from colleagues that several legislators had also received the same letters, though he said he didn’t know who.
“It starts out as a small story and it gets to be more complex,” Hansen said. “The auditor has the ability and authority to get to the bottom of this. He’s done that before and I have confidence in his skill and professionalism to do it again.”
It’s illegal to access drivers’ license data without a legitimate government purpose, but past investigations have found that misuse is common and several public employees have faced discipline for it. Several cities have recently agreed to settlements totaling over $1 million with a former Eden Prairie police officer who alleged her private data was improperly viewed by more than 140 officers from various departments.
Annamarie Hill-Kleinhans, the executive director of the Minnesota Indian Affairs Council, said she received one of the DNR’s letters and took the steps it recommended to protect herself against identity theft. She said the case highlights the need for people to protect themselves against identity theft before it happens.
“At this point nothing surprises me,” she said. “I just think it’s the world we live in.”