More than 470 CDs containing payroll information about state workers, including their Social Security numbers, have been either lost or stolen over the past three years.
The discovery has prompted major changes in how those bi-weekly reports to state agencies are handled.
The issue was raised by former Department of Information Technology security manager Jim Elste who says his efforts to make the state tell workers their personal data may have fallen into the wrong hands caused him to be fired from DOIT.
He made the argument during four days of hearings before Administrative Hearing Officer Bill Kockenmeister. Elste is appealing his termination, saying he is covered by the whistleblower statutes.
For the past three years, the personnel department has sent CDs to more than 80 agencies for every two-week pay period so the financial officers there can reconcile payroll against their own records. In that time, Personnel Director Todd Rich said, more than 13,000 CDs have been sent out.
What Elste discovered in June was that there was no system for tracking the CDs after they are sent, no system for getting them back or destroying them, and that the data on the discs wasn't even encrypted.
Rich said 97 percent of the discs have been recovered, but he confirmed that as many as 470 are still missing.
Elste said that should have prompted a "breach notification" to let all the employees in agencies with missing discs know their personal information may not be secure.
"We've lost personal information for many employees in the state," he told the hearing officer. "Either personnel or the attorney general's office should declare a breach."
"We haven't had any notification from anybody that, hey, my identity has been stolen," Rich said.
He said it will be the attorney general's decision whether to issue a breach notification. If so, he said, it will be done by the agencies with missing discs.
Going forward, he said, the system has been tightened to prevent any unauthorized people from getting employee information.
"It's on top of my list because we want to make sure foremost our employees' personal information is protected," said Rich, who has only been personnel director since May. "It concerns me greatly."
He said the CDs now require a password to read any data on them and employee identities will be protected because, beginning next week, the Social Security data will be replaced by a unique employee identification number. He said that took time to do because it required reprogramming the mainframe computer.
He said he has also implemented a system where the discs will be signed for and returned to the personnel department after each pay period.
"We have new policies for managing the process," he said. "We want to make sure we get this cleaned up."
Elste argues the state violated his rights by firing him for raising the issue. He said it was his job as head of information security for the state.
DOIT Director Dan Stockwell testified Elste was fired for poor management and lack of anger control. State officials say as a probationary employee, he has no rights to appeal that firing.
That issue will be decided by Kockenmeister after attorneys on both sides file their final briefs. His ruling is expected early next year.
Contact reporter Geoff Dornan at firstname.lastname@example.org or 687-8750.