ATLANTA - Georgia's secretary of state said Friday that he will hire auditing firm Ernst & Young to review the entire office, days after a lawsuit revealed that news media and political parties had received the Social Security numbers and other personal information about Georgia's 6 million voters.
Secretary of State Brian Kemp made the announcement in a statement that also provided more detail about how the release occurred while reiterating his confidence that voters' information is secure.
"Human error led to this information being shared with media and political parties," Kemp said. "All 12 discs have been recovered or confirmed they were destroyed by the recipients. I am confident that all voter information is secure and safe."
Kemp issued a required legal notice on the agency's website on Thursday that included fraud prevention tips. The state didn't offer to pay for credit monitoring or other steps to prevent identity theft, however, as Georgia Democrats and cybersecurity experts continued to question whether voters' information remains secure.
Georgia Secretary of State Brian Kemp"They didn't even get all the physical copies," said Rep. David Wilkerson of Powder Springs. "They're counting on people saying they didn't use or download them."
Kemp spokesman David Dove said earlier Friday that nine of the 12 discs containing the personal information were returned to the agency. One recipient, publisher of political blog PeachPundit.com Clayton Wagar, gave a signed statement to an investigator saying he had thrown away the October disc before being asked to return it.
Dove said investigators "are in the process of getting signed statements" from two other recipients.
Kemp said Friday that all 12 recipients "acted responsibly" and voters' information is safe. Dove added that neither the Republican nor Democratic party in Georgia saved, shared, or uploaded the file to their parties' national databases.
He said investigators with the agency are "gathering signed statements" from the other nine recipients.
"Our first priority was securing the discs, and then we wanted to alert everyone in accordance with the law to get that information out there," he said. "We're working day and night."
Rep. Scott Holcomb, an Atlanta Democrat, called on Kemp's office to publish the signed statements, adding that he's "astonished at the delay."
"The public has a right to see these documents since the Secretary of State used these attestations as the basis for his announcement that all data has been secured," Holcomb said.
It has become commonplace in the wake of data breaches for corporations and government agencies to offer to pay for credit monitoring for people who have been potentially affected. South Carolina spent nearly $50 million after its Department of Revenue was hacked, affecting about 6.4 million people listed on income tax returns filed online between 1998 and 2012.
Larry Ponemon, founder and chairman of the Ponemon Institute, a research company focused on IT security, studied the South Carolina breach. Government agencies often are focused on efficiency or lack the resources private companies have, but encrypting or encoding data to prevent use by unauthorized people doesn't take long and can be inexpensive, he said.
In Georgia's case, "there's really no way to determine who was accountable and who wasn't; who took the right steps and who was sloppy," Ponemon said.
Sasha Romanosky, a cybersecurity and privacy policy researcher at the nonprofit RAND Corporation, said that will make it difficult for Georgia to ensure voters' data didn't get shared or taken. "They have no idea," Romanosky said. "There's a loss of control of that information."
Kemp's office regularly sends an updated list of all registered voters in the state to political parties and news media organizations as required by Georgia law. The state sells the file to others. It is only supposed to include a voter's name, residence, mailing address, race, gender, registration date and last voting date.
Kemp said a technology employee violated the agency's security procedures by including Social Security numbers, driver's license numbers and dates of birth in the October files. Kemp said the employee, who has not been identified, didn't tell anyone about the mistake.
He said the agency learned about the error on Nov. 13 from an organization that received the disc. No statement came from Kemp's office for four days, after two Georgia women filed the lawsuit on Tuesday.
The women's attorney is seeking class-action status and said personal information for more than 6.1 million voters registered as of Oct. 13 was included in the file.