Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Not Retroactively Redacting May Have Exposed Social Security Numbers

Allegheny County, Pa., stores about 1,700 tax records online each year. In 2012, they purchased redacting software but didn’t retroactively redact sensitive information from previously uploaded 1997-2010 tax documents — leaving personally identifiable information exposed.

(TNS) — Hundreds of Social Security numbers could be contained in unredacted documents housed on the Allegheny County Civil Courts public website.

The Tribune-Review located federal tax lien documents filed each year from 1997 to 2010 that display unredacted tax identification numbers. In many cases, they are an individual’s Social Security number. Others are Employer Identification Numbers, used for businesses.

An average of 1,700 federal tax lien records connected to individuals and businesses are accessible on the civil courts website for each year. Tax lien records indicate unpaid taxes on property.

Allegheny County Director of Court Records Michael McGeever said the county did not retroactively redact these documents after it purchased redaction software in 2012.

“That software was capable of redacting Social Security numbers and other sensitive financial information that filers may have inadvertently added to court pleadings, but is certainly not infallible,” McGeever said in an emailed statement. “All filings presented to our office from October 2012 forward have been redacted using the newly purchased software. Documents filed before that date were not impacted as the practice was not applied retroactively.”

The Unified Judicial System of Pennsylvania enacted a statewide public records policy in 2018 that outlines how filings should be redacted.

Under that policy, it is the responsibility of the individual filing documents or that person’s attorney to ensure personal information is redacted, attorneys for the Pennsylvania Attorney General’s Office said in a statement.

The court or custodian of the documents is not responsible for fixing errors made by filers, the statement said.

Court pleadings filed at the Allegheny County Department of Court Records have been subject to that policy since, McGeever said.

“It’s not surprising that there are some documents available throughout the state, including here in the county, that have identifying information still contained in them,” he said. “The practice of redacting personal information is fairly ‘new’ in relation to the amount of documents held by the courts. And just for clarification, our department does not — nor has it ever — required that type of information for any pleadings presented for filing.”

Dangers Of Exposed Data

The documents containing Social Security numbers on the Allegheny County Civil Courts website are included in filings related to federal tax liens.

The “Notice of Federal Tax Lien” documents are filed by the IRS to the court records office to indicate that unpaid taxes have been assessed against a property.

Buyers looking to purchase a property will typically check for tax liens before going through with a deal, said Daniel Stoner, a Pittsburgh attorney who works in real estate law.

The notice includes the full name of the taxpayer responsible for the property, the taxpayer’s address and a tax identification number.

In the case of most individuals, that tax identification number is their Social Security number, Stoner said.

“They are supposed to be redacted, they’re considered personal information,” Stoner said, noting that attorneys are now responsible for making sure redacted versions of public documents are filed.

The IRS uses an Employer Identification Number, or EIN, to identify a business entity.

While an EIN is not as sensitive as a Social Security number, it’s still not something that would be shown in the public record, Stoner said.

Prior to the 2018 public records policy, it was common to see personal information pop up in other types of legal filings, like custody cases that included the full names and birthdays of minors, or mortgage foreclosures that contained Social Security numbers, Stoner said.

Exposed Social Security numbers could open several doors for thieves interested in stealing personal information, said Eva Velasquez, CEO of the San Diego-based nonprofit Identity Theft Resource Center.

Social Security numbers are used as both a form of identification and as a security mechanism, she said. Obtaining a Social Security number could allow thieves to access current and legitimate accounts, as well as to apply for new financial accounts, government benefits and other services.

If documents contain additional personal information, like previous addresses, thieves could have access to information to bypass knowledge-based security questions, Velasquez pointed out.

“Social Security number exposure really puts individuals at a high risk, and they do need to understand that they should take some type of action,” she said.

Anyone concerned about their Social Security number or other personal information that appears in court filings must petition the court to have the information removed.

“Individuals who are concerned about their Social Security numbers, or other personally identifying information, appearing in pleadings on the electronic filing and retrieval website have been instructed to petition the Court for removal of the information,” McGeever of the Allegheny County Court Records department said. “The department has no power to alter a court filing.”

Public Records, Private Data

The former Allegheny County Prothonotary’s Office began scanning and making all court filings available online in 2002, McGeever said. The elected office of prothonotary was dissolved in 2008, its functions folded into the Department of Court Records.

Prior to 2002, these filings were only available by requesting the case file in person.

This type of data exposure is becoming more common as municipalities around the country fail to secure new digital systems and struggle to reconcile open records laws with protecting personal information, said Velasquez.

“We have not figured that out yet on a national level, so we’re going to see more and more of these,” Velasquez said.

Of the 1,244 data breaches tracked nationwide by the Identity Theft Resource Center in 2018, 99 were related to government or military entities, according to a 2019 report.

Most of the total data breaches, 39%, were the result of hacking, and 30% of breaches were related to other unauthorized access.

Accidental exposure accounted for 9% of data breaches, while employee error, negligence, improper disposal or lost records made up 12% of data breaches.

“I think the challenge for these municipalities and government is exactly the tension between making data public and at the same time not compromising the individual’s privacy,” said Rahul Telang, a professor of information systems at the Heinz College of Carnegie Mellon University. “And that requires a more careful effort.”

Public entities may not be able to devote the resources — time, money or energy — to make that extra effort, he said.

“Unlike the private sector, where somebody’s job is on the line,” Telang said. “The stock price might go down. All the way from the top, there’s a lot more attention being paid to the user data that needs to be protected. In the public sector, I’m sure there’s attention, but there’s no particular chain of command where you can catch a particular user or a particular worker and say, ‘you didn’t do the job.’”

Mistakes could still happen, even if someone is paying attention, he said.

“I think many times, especially when the documents are digitized, it’s hard to notice that maybe some document, some information, is not completely concealed,” Telang said.

©2020 The Tribune-Review (Greensburg, Pa.). Distributed by Tribune Content Agency, LLC.