Doyle asks Metavante to investigate state data breaches

Madison, Wis. - Stung by yet another data security breach, Gov. Jim Doyle has asked Metavante Technologies, Inc., a Milwaukee-based financial services and privacy protection firm, to lead an immediate review of state agencies to determine where private information is held and how to protect it.

The announcement comes on the heels of the release of 260,000 Social Security numbers on a Medicaid booklet mailing sent out by the state and its contractor, Electronic Data Systems, which handles the state's health data, and the Department of Revenue's admission that it mailed up to 5,000 letters with visible Social Security numbers to taxpayers.

Metavante has agreed to conduct the review on a pro bono basis, and Doyle sounded more resolute following the third release of sensitive personal information in the past 13 months.

“What happened at DOA (Department of Administration) is unacceptable, and I have ordered immediate action to correct the problem,” Doyle said in a statement released today. “It is clear that state workers took various steps to prevent this breach of information, but any breach - no matter how small - is unacceptable."

Not again

Thirteen months before the most recent data breach, a different state contractor, working on behalf of the Department of Revenue, printed 170,000 Social security numbers on tax booklet that had been mailed.

In announcing the Metavante-led review, Doyle noted that state government has a duty to protect and secure the sensitive information it collects each day. Earlier, the state announced it would replace Social Security numbers as a Medicaid identifier with randomly generated ID numbers, a practice followed by all other Midwestern states.

“Our greatest responsibility is to protect the citizens of this state,” Doyle said. “That means we must do everything possible to dutifully protect the private information of every citizen and crackdown hard against identity theft.”

Metavante was spun off from Marshall & Ilsley Corporation on Nov. 1, 2007, as a separate public company that trades on the New York Stock Exchange. In a statement released Feb. 16, Metavante indicated it would investigate and recommend best practices to safeguard the personal information Wisconsin citizens.

"At the request of Gov. Doyle, Metavante has offered to provide several of our staff members to assist the state in reviewing its current practices
for personal data collection and management," the company said. "We will begin that work immediately at the Governor’s request."

Worst practice

While EDS has yet to identify what went wrong in the latest case, lawmakers have promised to hold hearings to get to the bottom of what some believe is a simple case of database mismanagement. Attorney General J.B. Van Hollen is looking into whether EDS violated any state laws.

Whatever the cause, the use of Social Security numbers as an identifier is hardly seen as a “best practice” on the part of state government. “It's ridiculous at this point,” said David Rasmussen, president of Extract Systems, a Madison-based company that develops data entry productivity software for identity theft protection and automated data extraction.

Metavante was chosen in part because it has ample opportunity to secure the personal data of its clients and their customers. One of the state's largest technology companies specializing in financial data record-keeping, Metavante serves thousands of financial institutions and millions of customers internationally, and processes more than 18 million deposit accounts each day. The company also produces roughly 5.5 million Form 1099/1098s on behalf of its financial institution clients and their customers, and prints and distributes over nine million monthly statements, notices, and bills.

No excuses

Even with this step, the Governor's legislative critics weren't about to let him off the hook. State Sen. Ted Kanavas, R-Brookfield, said Doyle is a year late and millions of dollars short on a solution. "Wisconsin cannot afford this level of recklessness from the Doyle Administration," Kanavas said in a statement released by his office. "Taxpayers are forced to spend hundreds of thousands of dollars on credit monitoring services every time a mistake is made."

After the 2006 data breach, Kanavas called on the Joint Legislative Audit Committee to conduct a performance review audit on data security practices in each branch of state government, which the committee declined to do.

Related stories

• Identity theft start up has fast-track growth plans

• Kanavas calls for audit of data security practices

• Mark Garsombke: Wisconsin identity theft law: A cheap plastic sword

• Safe Internet requires total network security, prof. says

• Joseph Campana: Identity theft: The business time bomb