Schnirman worries about public record posted on county website (updated)
After falling for a $710,000 phishing scam, County Comptroller Jack Schnirman is warning Nassau legislators against posting "sensitive" information on their website -- an issue the county and the state's open government director addressed four years ago.
Schnirman, who recovered the $710,000 after a police investigation, wrote a letter to the leaders of the county legislature Wednesday. He said that while reviewing "potential vulnerabilities" in the county, "it has come to light that sensitive pieces of vendor information (such as the Federal Tax Identification Number--TIN) have been publicly available" on the legislature's website.
Schnirman, who has consistently advocated for transparency in fundraising emails, said, "We must balance transparency with the need to protect sensitive information."
He encouraged lawmakers "to review the publicly available information for redaction of sensitive information."
But Presiding Officer Richard Nicolello (R-New Hyde Park) noted today in a letter to County Executive Laura Curran that the former county attorney had issued rules for posting contracts two years before Schnirman, a Democrat, took office. Nicolello also wondered why the comptroller had not contacted Curran, a Democrat to see if the rules needed revisions.
Nicolello included a copy of a 2016 memo from then County Attorney Carnell Foskey directing all department heads to avoid disclosure of private vendor information. Foskey said they should advise vendors to redact all sensitive information on "web ready" paperwork. Such sensitive information, Foskey wrote, includes social security numbers, home or personal telephone numbers, home addresses, information of a personal nature where disclosure would cause hardship, and trade secrets.
More than six months of contracts that had been posted online were taken down then for redactions.
At the same time as Foskey's memo was issued, Robert Freeman, then executive director of the state's Committee on Open Government, told Newsday that federal tax identification numbers are public record.
"Company tax ID numbers are not private," Freeman said, and can be found on many public documents. “Its not personal,” he explained. “If its not personal, the privacy exemption would not apply.”
A web search today also found that federal tax id numbers are public.
Asked why Schnirman was advocating that public information, such as the federal tax id number, be removed from the website, his spokesman Harrison Feuer, said today in an email, "Since taking office in 2018, the comptroller has made transparency initiatives a top priority."
But the comptroller's office also reviews available data to determine whether publishing it "advances transparency," he said.
"While not private information, publishing certain information (such as tax ID numbers) offers limited transparency benefit while also creating vulnerability for fraud," he said. "As such, the county should recognize this concern while continuing to advance transparency initiatives."
Nicolello, in his letter to Curran and County Attorney Jared Kasschau, said the legislature relied on Foskey's guidelines.
"I am providing a copy of Mr. Foskey’s letter to the Comptroller since he apparently did not know
that the administration had a procedure in place for handling sensitive vendor information in
disclosure documents," Nicollelo wrote.
"If there has been a change in the procedures for handling sensitive vendor information, please
advise any new or revised procedures adopted by your administration."
He also said he will ask Schnirman's office to identify sensitive data and work with county IT to see that is is removed.
Curran spokesman Michael Fricchione said the administration is mandating cybersecurity training for all county employees.
In the cyberattack against the comptroller's office, a scammer impersonated a county vendor in an email and directed that payments be sent to a new bank account. The comptroller learned of the scam when notified by the bank that the account was fraudulent, according to testimony at a finance committeee meeting last week.
Comments
Post a Comment