State County Must Pay Up To $68m for Privacy Violation

The outcome of a legal case in Pennsylvania last week hammers home an important piece of advice for online service providers: effective information governance is critical.

A Pennsylvania court ordered the State’s Bucks County to pay up to $68m in damages after plaintiffs said that the County had broken state laws by publishing their criminal records. 

In January 2011, Bucks County Correctional Facility created an online service called the Inmate Lookup Tool (ILT). This held information about 66,799 people who had been imprisoned there over the past few decades. According to the court’s ruling, even though the County employees responsible had training and access to a hotline to discuss privacy issues, they “proceeded without seeking advice from the Bucks County Solicitor before releasing the information.”

The data in question included name, race, weight, hair and eye color, arrest dates, arrest charges, and where available the inmates’ marital status and their FBI and State fingerprint identification numbers. The system also included photographs of 47,000 of the inmates. 

One of those inmates, Daryoush Taha, filed suit the following year. He claimed that Bucks County violated Pennsylvania’s Criminal History Record Information Act (CHRIA) by releasing criminal history information inappropriately.

Taha was held overnight on a harassment charge in 1998, but charges were dropped and County officials told him that his records had been expunged. The details, along with his photo, turned up on the ILT. 

The district court ruled in Taha’s favour in 2016, concluding that the County violated CHRIA by releasing inmate records.

In late May, the jury in the case awarded $1000 to each of the 68,000 members of a class action lawsuit against the County. The amount shows that both companies and governments should seriously consider the privacy of the information that they make available via online services.

The topic of Cloud Security will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cloud Security here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s Hot on Infosecurity Magazine?