The Colorado Secretary of State's business division shut down online access to certain documents on its Web site after being notified by a privacy advocate that the site had been posting potentially thousands of documents with Social Security numbers since 2001.
Secretary of State Mike Coffman took the step to "prevent identity thieves from pulling personal identifying information from Uniform Commercial Code filings" posted on the site, according to a statement posted on the agency's site Thursday.
The move was identical to one [made just last week] by California Secretary of State Debra Bowen, who also shut down online access to UCC documents because of identity theft concerns.
UCC documents are financial statements filed with the state by banks and other creditors when an individual takes out certain types of loans. They basically allow a creditor to inform other creditors about assets that a debtor might have used as collateral in securing a loan or credit.
The documents are considered public records and are available for purchase, mostly by financial institutions -- though almost anyone can get them if they want. Although very few UCC filings these days contain Social Security numbers, many older documents do. Over the past few years, several states, including Colorado, have been making the records available on their Web sites, often without redacting any of the sensitive information.
In Colorado's case, the state had previously undertaken a redaction effort to black out Social Security numbers from UCC filings received prior to July 1, 2001. That effort was completed in May 2003, with Social Security numbers cut from more than 610,000 filings out of a total of about 1.7 million.
In 2001, the state also released a new UCC form that did not require Social Security numbers. However, many financial institutions appear to have continued using the older UCC form, which includes a box that asks for a Social Security number, Thursday's statement said.
As a result, potentially thousands of UCC records on the Colorado Secretary of State's Web site contain the numbers, said B.J. Ostergren, a privacy advocate in Richmond, Va. Ostergren, who runs a Web site called The Virginia Watchdog, alerted officials to the problem earlier this week.
For the past several years, she has documented cases where county governments and secretary of state offices around the country have routinely posted sensitive data online. Ostergren said she was able to easily access more than 100 records containing Social Security numbers from the Colorado site and had threatened to post the data on her own Web site if the state did not move to shut down access to the UCC filings.
Ostergren said that when she first contacted Coffman's office earlier this week about the problem, officials appeared to be unaware of the issue and initially doubted her claims -- until she showed them records she had downloaded from the site.
A spokesman for Coffman said the move to shut down online access to the UCC filings was prompted by the information from Ostergren. According to the spokesman, Coffman took action almost immediately after personally learning of the issue Thursday afternoon.
His office will begin a new process to examine and redact Social Security numbers from an estimated 320,000 paper filings that have been received and posted onto the site since 2001, the spokesman said. Coffman has also suspended bulk electronic sales of the UCC database records and is using additional staffers to help manually fulfill requests for the documents from businesses that need them.
"We certainly understand the importance of having this information available to financial institutions," he said. "Commerce depends on access to these types of documents, and we'll be moving as quickly as we can" to restore online access, he said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.