dentity theft victim wins right to sue county clerk over posting of personal data

Ohio appeals court reverses dismissal of lawsuit claiming that posting of speeding-ticket image violated privacy laws

Jaikumar Vijayan

September 30, 2008 (Computerworld) An Ohio woman whose identity was allegedly stolen after an image of a speeding ticket containing her personal information was posted on a county government Web site can sue the county official responsible for putting such records online, a state appeals court in Cincinnati ruled last week.

The appeals court reversed a trial judge's decision to dismiss an identity theft lawsuit filed by Ohio resident Cynthia Lambert against Greg Hartmann, the clerk of courts for the state's Hamilton County, which is centered around Cincinnati. Last week's ruling (download PDF) allows Lambert to reinstate her legal claims that Hartmann violated Ohio's Privacy Act, invaded her privacy and unlawfully published "private facts" by posting her personal data on his office's Web site.

The ruling is the latest in a series of controversies involving county governments across the U.S. posting public records containing sensitive personal data on publicly accessible Web sites. Earlier this month, for instance, the Iowa County Recorders Association said it would disable online access to mortgage documents and personal financing statements on a statewide land-records Web site after concerns were raised about the possible compromise of Social Security numbers that are included in some of the documents.

Over the past few years, privacy advocates have warned that county Web sites have become a treasure trove for identity thieves and other fraudsters, and they have pushed government officials to redact personal data from online copies of public records.

The case in Ohio stems from a speeding ticket that Lambert received in September 2003. The ticket, which included her name, Social Security number, driver's license number, home address, birth date and signature, was filed with the Hamilton County clerk's office, and an image of it was posted on the clerk's Web site as part of a policy to make public records available online.

According to court documents, about a year after Lambert received the ticket, she was notified by two separate retailers of large purchases made by someone using her name. Lambert said in her legal filings that a Sam's Club store told her a woman who showed a driver's license that purportedly was hers had bought $8,000 worth of electronics. In addition, a Home Depot store informed Lambert of $12,000 in purchases made by an individual who had opened a credit-card account in her name, again using a fake driver's license.

Lambert claimed that the information used to steal her identity came from the online image of the speeding ticket. She pointed out in her filings that the number on the driver's license used at the stores was different from hers by one digit — exactly how the number had appeared on the county clerk's Web site because of a recording error by the police officer who issued the ticket.

In addition, Lambert noted that a woman who was arrested on and pleaded guilty to felony fraud charges for stealing Lambert's identity had admitted to being part of a gang that misused personal information taken from the clerk's Web site.

In a federal lawsuit filed in late 2004, Lambert charged that Hartmann had acted with willful disregard for her privacy in posting the image of the speeding ticket. She claimed that the clerk had known since at least 2002 that identity theft had been committed by individuals using information gathered from public Web sites such as his, but that he nonetheless had continued to post public records without redacting sensitive data to hide it from public view.

Hartmann, on the other hand, argued that he should be held immune from prosecution because he had authorized the posting of the speeding ticket and other public records as part of his official duties, without any malicious intent or forethought. He also said that at the time the image of Lambert's speeding ticket was put online, there were no laws in Ohio that prevented or limited such postings. And he contended that he couldn't be held liable for publishing Lambert's private data because by definition, the speeding ticket was a public record.

A federal judge dismissed Lambert's lawsuit, which she then refiled in the Hamilton County Court of Common Pleas, where it was similarly dismissed. But last week's ruling by Ohio's First District Court of Appeals — which serves Hamilton County only and is also known as the Hamilton County Court of Appeals — reversed the trial-court decision and said Lambert had established valid claims relating to privacy violations that she had a right to argue in court.

The ruling noted that although there was no law preventing Hartmann from posting public records on the county Web site, he should have known that there was a law preventing personal data such as Social Security numbers from being published online.

In a voice-mail message, Hartmann referred questions about the appeals court's ruling to the county's legal counsel, who didn't immediately return a phone call. The home page of the clerk's Web site includes a notice saying, without further explanation, that public access to court documents has been "temporarily suspended." The notice is undated, although it apparently predates the ruling by the appeals court.

One of the goals of posting public records online is to make them more easily accessible to businesses, such as title companies, that need to access them for legitimate purposes. But the trend has resulted in many counties making public records containing Social Security numbers and other personal data available to anyone with Internet access.

States such as California and Florida have enacted laws that require counties to redact personal data from documents before making them available online. As a result, most of the sensitive data that can be found on Web sites is in older records that had already been posted. But with some sites holding tens of millions of documents altogether, the number containing personal data can easily run into the hundreds of thousands per site — leaving counties facing big redaction efforts and costs.