Schuylkill to receive money after company left child info exposed
Schuylkill County commissioners have approved a $2,745 agreement with a Virginia software firm that inadvertently left its child accounting profile system databases for some counties temporarily accessible on the Internet.
Information about 1,800 children was exposed for a short time in May 2017.
Information stored in certain counties’ child accounting and profile system databases was publicly viewable online.
“The databases are maintained by Avanco, and information and data stored on county-owned systems was not affected,” said First Assistant County Solicitor/Risk Manager Glenn T. Roth Jr.
“There was a potential for exposure of a few names but no actual misuse or access,” he said.
Avanco International of Fairfax will pay the money to the County Commissioners Association of Pennsylvania for costs incurred on behalf of Schuylkill in investigating and resolving the matter.
In exchange, the county will waive certain rights and claims it may have against Avanco.
The sum is a settlement agreement negotiated between CCAP and Avanco, said First Assistant County Solicitor/Risk Manager Glenn T. Roth Jr.
“Avanco is reimbursing CCAP, and by extension the county, for a majority of the professional and legal costs associated with our investigation and remediation,” he said.
The data was “temporally accessible through an algorithm,” said CCAP Executive Director Douglas E. Hill.
“A caseworker did a search, and it came up in an algorithm in a search engine,” he said.
The caseworker reported the issue to a supervisor, and the software was immediately shut down and the matter corrected, Hill said.
“It wasn’t available publicly; rather a search engine was able to go into a case management system,” Hill said.
“When the situation became known, we, through CCAP, immediately engaged legal counsel with expertise in cyber law, who then engaged a digital forensics company to ensure the information was removed from the Internet, conduct an investigation to determine the cause and put measures in place to help ensure an incident like this does not happen again,” Roth said.
He said that based on the investigation, “we have no indication that the information was inappropriately accessed or used.”
Because of the sensitive nature of the data, communication during the investigation was limited to the county solicitors in each of the affected counties, Roth said.
Notice letters were sent to affected families on June 30.
Should someone file a lawsuit stemming from the breach, the settlement still allows the county to request defense and compensation from Avanco.
“Similarly, should there ever be an investigation by any local, state or federal agency or entity related to the security of the system and data therein, this agreement will not prevent the county from seeking defense and indemnification from Avanco in connection with that matter,” Roth said.
There is no indication anyone not authorized to see the data was able to.
“According to expert forensic personnel hired as part of the investigation of the dispute, there was no evidence that any information on the CAPS system was improperly accessed by any individual and, to date, the counties have not received a single claim from anyone asserting that their information was disclosed; however, because certain information was accessible, if an individual knew precisely what to search for on certain online search engines, we took a very conservative approach to remediating the incident, thus necessitating the incurring of certain professional and legal costs,” Roth said.
The remediation included providing access to credit report services for people whose information may have been publicly accessible, as well as notice of the security of the information.
“In connection with Avanco, our team of experts was also able to identify the mechanism which allowed this information to become accessible and ensure that no further incidents would occur,” Roth said.
He said the county has updated its standard contracts with Avanco to “further address best practices from a security perspective.”
