Data breach uncovered in state program designed to protect domestic violence, stalking victims
Woman says she learned her information compromised during credit check
FLORIDA – News 6 is investigating three state agencies for their handling of a state program created to protect victims of stalking and domestic violence.
This after one of the victims discovered her protected voter information was somehow released to the public, making it possible for her abuser to find her and her family.
The program is called the Address Confidentiality Program, and it is run by the Florida Attorney General's office.
Its purpose is to ensure that abusers cannot use public records to locate their victims. But the whistleblower News 6 talked to says she discovered a substantial breach - and was ignored when she reported it.
News 6 agreed to disguise her identity in every way possible in order to protect her and her family.
We are calling her Sam for the purposes of this story.
"Even though I'm terrified even doing this interview I just couldn't sit back and keep quiet," said Sam. "Knowing the other victims of abuse didn't know what happened to them or may never know why they may have been found by their abuser or worse."
This ACP participant says she discovered her confidential information had been compromised while she was checking her credit.
"My physical address had been supplied to E-Merges from my voter records," said Sam. "And that is the scary part - because at that moment I was horrified. I wondered what all had been released and when?"
News 6 checked and discovered Florida state law is supposed to protect victims like Sam from having their name and address released to anyone - not only for their safety, but for the safety of their families.
But Sam discovered that is exactly what had been released to a company called E-Merges - which then sold it to hundreds of companies around the world -including LexisNexis, a major internet database.
"I felt horrified," said Sam. "I felt betrayed, I felt like how could they have done this."
Sam says she called E-Merges and talked with the CEO, Shawn Harmon.
She says he told her his research revealed that he had been sold hundreds of ACP participants' protected voter information back in 2005 and 2006 - without their knowledge or consent.
"Sold to him repeatedly by the Division of Elections for $5 per CD ROM over the course of a few years," said Sam.
The Department of State tells News 6 the Florida Division of Elections does not sell voter information, but it used to charge a $5 administrative fee to full fill public records request which is allowed under Florida law.
Sarah Revell with the Department of State states 'they no longer do that.'
Sam provided News 6 with documentation clearly showing Harmon's correspondence with her and state officials.
Sam says Harmon acknowledged the Division of Elections had released this confidential information, but stated he would make sure that all the information he received would be redacted.
News 6 reached out to E-Merges CEO Shawn Harmon to confirm this information, but by phone he said he could not comment on the matter and cited confidentiality as his reason why.
But in an email dated May 15, 2017 to the Florida Department of State, Harmon writes,
"We researched our Florida voter records going backwards around 2002. These are files we received directly from the state---no intermediaries. We found several records with the Tallahassee P.O. Box and zip. We also found at least one record for her that included both her full residence street address and the P.O. Box!
"In other words her address was being released during the period that she reports that she was under the protective order.
"I am trying to understand what is going on. The Florida voter file is supposed to be an open and unrestricted public record available to all requestors and without any permissions required. Clearly eMerges and our client do not want to unwittingly be releasing information that you at the state accidentally released to e-Merges."
Earlier in the letter, Harmon states:
“eMerges and the other 500 or so requestors of the Florida voter file were/are not supposed to get her or the other real address.”
He also states in another email dated May 16 to the same agency:
“other voters with full address and the same PO Box do in fact appear all the way through our December 2016 file.”
----Shawn Harmon, eMerges CEO
Sam says she contacted the Division of Elections immediately and asked them who released the information and what software was being used to secure the data. She says she even called the Florida Department of State's office.
She says at first she was berated, and then ignored for bringing the information to light. Sam says they even tried to convince her that somehow she had done something wrong when she registered to vote. But Sam provided News 6 with documentation showing that she registered properly.
"They are denying, blaming, avoiding and sweeping the breach under the rug," said Sam. "And this is an issue that could potentially get a victim of domestic violence and or stalking found and possibly killed."
Sam wants to know why the Florida Attorney General's Office and the Division of Elections did not notify ACP participants of this breach early on. And she wants to make sure other ACP participants know she has not released and will not release any of their information that was provided to her during the course of her investigation.
Sam says learned that in 2005, the ACP did purge participant information on their computers. Soon after, a new system was put in place for the Division of Elections to handle ACP participant voter information. In this case, all their handwritten personal information was kept in a locked box, not in a computer. News 6 did confirm this with a Supervisor of Elections in Leon County.
"They've both known about - and had evidence of this breach - since at least May 2017," said Sam. "Yet neither entity has informed any of the victims of this breach."
Sam says when she discovered the breach, she was forced to dramatically change her life - in order to keep her abuser away from her and her family.
"This breach literally altered the course of my life," said Sam.
Sam did provide a letter to News 6 that shows back on Jan. 15, 2009, the Florida Office of the Attorney General did write to ACP participants that the Post Office Box number that was being used had been potentially compromised, due to investigative research conducted by a private party on a program participant.
The letter stated while it cannot completely protect a participant, it would send a new participant card to those in the program with the new PO Box number. But it also stated it would be their responsibility to notify any relevant agencies that the address had changed.
Since early June, News 6 investigator Adrianna Iwasinski has called and emailed all the state agencies involved. News 6 even went up to Tallahassee looking for answers.
At the Attorney General’s Office, we were informed the current Attorney General Pam Bondi could not comment, since the alleged breach did not happen on her watch.
News 6 also reached out multiple times to Rep. Charlie Crist, who was the Florida attorney general at the time. Our emails and messages have not been acknowledged or returned.
News 6 also went to the Florida Department of State, but were denied a sit down interview.
However, the DOS did finally send a response on Aug. 4, stating, "The safety and security of ACP information is of the utmost importance." and, "Procedures are in place to ensure their information is protected from public disclosure."
ACP participants were and still are maintained at the county level in the Supervisor of Elections office.
But they admit at the time in question, "If Supervisor of Elections offices sent voter registration data to the Division of Elections that included ACP voters, we had no way of knowing that and it is possible the information was released to fulfill a public records request" - and that the department has "no way of knowing exactly how many ACP voters had their information potentially released."
On the Department of State website, it explains the history of the Address Confidentiality Program (ACP). It states it was created in 1998, to be administered by the Office of the Attorney General to protect domestic violence victims. In 2010, victims of stalking were added to the program.
The ACP provides victims a legal substitute address (usually a post office box) to use in place of their physical address. This address can be used whenever an address is required by public agencies. Currently, 36 states have ACPs.
The DOS website states while the ACP's purpose is to insure that perpetrators of domestic violence and stalking cannot use the state's public records to locate their victims, it does not help its participants go underground, hide its participants, or keep the participants non-public records confidential that are already available through internet or other types of searches.
The program does provide a substitute mailing address, confidentiality of voter registration information, and voting by absentee. The DOS states the Division of Elections must maintain records separately in a secure file storage, conduct periodic checks for ineligibility and has the rights to remove a participant due to a felony or mental incapacity, death or other reason.
Sam has hired a private attorney to look into this as well.
On Thursday, we will have more on what that lawyer has to say about this case - and how it could affect victims of domestic violence nationwide.
News 6 asked the state Department of Elections further questions about the ACP program. Read their response below.
The safety and security of Address Confidentiality Program voters’ information is of the utmost importance to the department. We currently have thorough procedures in place to ensure their information is protected from public disclosure at the local and state level.
In 1998, the Legislature established the Address Confidentiality Program (ACP) within the Florida Department of Legal Affairs. The ACP is administered solely by the Attorney General’s office. It is a public records disclosure protection program – not a witness protection program. It is important to understand that becoming an ACP participant and becoming a registered voter as an ACP participant are two totally separate components.
The AG’s office is responsible for the process for someone to become an ACP participant. The Supervisor of Elections is responsible for the voter registration of an ACP participant who wants to register to vote or for protecting the record of an ACP participant who is already registered to vote in his or her county. The Department of State’s Division of Elections plays a supportive role in the voter registration process.
Prior to 2006, each county Supervisors of Elections had responsibility for their own voter rolls. Each county's local registration system constituted the official voter record and did not communicate with other county systems. Each county maintained the voter registration records of ACP participants in the respective county in accordance with its own established procedures. For a number of years prior to 2006, counties began to upload voter registration data to the Division of Elections. The Supervisors were still responsible for ensuring ACP participant data was protected before uploading to the Division as the Division had no way of checking the data for ACP voters.
The department is not able to confirm if any individual was or is currently a participant in the Attorney General’s Address Confidentiality Program. We are also not able to confirm if any ACP voters’ information was potentially released 12 years ago because only county Supervisors of Elections maintained information about ACP voters prior to 2006.
Once the statewide voter registration system (FVRS) was implemented in 2006 and became the official list of registered voters, a statewide standardized process for registering ACP voters was developed and codified in Rule 1S-2.039, Florida Administrative Code. The original registration records for ACP voters are still maintained at the local level and also outside the FVRS. ACP voter information is excluded from responses to public records. If a person becomes an ACP participant after their voter registration information had already been released through a prior public records request, there is no way for the department to pull the information back from the public domain. Please note that the Division of Elections does not sell voter information, although we previously assessed a nominal administrative fee to cover the actual cost of producing the publicly available voter information.
The AG’s office continues to have sole authority over admitting persons to the ACP program while Supervisors of Elections continue to have sole authority to register voters, including the process to register ACP participants to vote or if already registered to vote, to protect their registration records. In order to ensure the protection is properly applied, ACP participants must also follow certain protocols if they want to register to vote, otherwise there is a risk of their information getting released as part of a public records request (see AG’s rule relating to this - chapter 2A-7, Fla. Admin. Code). An ACP participant should not register to vote through the DHSMV/tax collectors’ office or any other means other than going in-person to the Supervisor of Elections office. It is also incumbent on the ACP participant to provide his or her ACP card (which is received from the Attorney General’s office and shows he/she is a participant in the program) to the Supervisor of Elections and to notify the old county of residence and a new county that he or she is an ACP participant. ACP participants must also reapply for the ACP every 4 years and if their certification in the program is renewed, he/she must provide the updated ACP card to the Supervisor of Elections.
Copyright 2017 by WKMG ClickOrlando - All rights reserved.