Thursday, March 18, 2010
AG recommends state employee identification numbers be kept confidential because of security concerns, leads to change in network security procedures
State employee identification numbers should be kept confidential because disclosure could expose the state's payroll system to hacking, the Attorney General's Office said this week.
But the assistant attorney general's letter detailing how hackers could use the information to enter the system led to the Office of State Finance changing the password system, The Oklahoman reported today.
Network security systems should rely on passwords and the number of times someone can try to log on before being locked out, said a data privacy expert who was the keynote speaker for FOI Oklahoma's third-annual Sunshine Week conference on Saturday.
The more unique identifiers, the better the system, said Richard J.H. Varn, chief information officer for the city of San Antonio and executive director of the Coalition for Sensible Public Records Access.
The Oklahoma Public Employees Association, which opposes release of employee birth dates, posted the assistant attorney general's letter to its Web site on Tuesday.
The OPEA quickly equated the employee identification numbers with birth dates, calling them private information.
The Oklahoman, however, pointed out that it had requested dates of birth and employee identification numbers of state employees as part of an ongoing look into the backgrounds of public workers. Public access to the employee identification numbers is the only way to track employees who have changed their names after marriage.
Another speaker for the Sunshine Week conference said Texas has provided him with the employee identification numbers for that state.
"I know of no government body anywhere that has denied access to unique identifiers because of this pathetic excuse. This is a very basic piece of information," said Ryan McNeill, computer-assisted reporting editor for the Dallas Morning News.
Strengthening Oklahoma's payroll system's security procedures would seem to negate the reason for denying access to the employee identification numbers. The attorney general's office should reconsider its recommendation accordingly.
Joey Senat, Ph.D.
OSU School of Journalism