Agency suffered data breach in September on mining permit applications
Notice given as required by law, some info was unredacted
FRANKFORT, Ky. (WTVQ) – On September 8, 2021, the Kentucky Energy and Environment Cabinet (EEC) discovered original un-redacted mining permit applications containing some mine owners’ and controllers’ personal information was available for public inspection at Department for Natural Resources’ field offices and on an EEC hosted and public-facing website.
Under federal law (30 C.F.R. § 773.6), EEC is required to make permit information such as the owners’ and controllers’ identifying information available for public inspection.
Although internal EEC policy and procedures require redaction of certain personal information (including SSNs) before permit information is made publicly available, some un-redacted permit materials have been available: since sometime in 2015 at public reading rooms located at DNR field offices, and 2) since January 16, 2021 on a public, internet-accessible database maintained by EEC. As a result, individuals or software programs may have accessed permit information.
On September 8, 2021, EEC discovered the security issue, and immediately disabled access to the files. After investigation, EEC was unable to determine whether personal information was accessed or downloaded during either the time in which it was available in EEC’s regional offices or when it was hosted on the EEC’s website.
In order to meet its obligations under federal and state law and prevent this issue from reoccurring, EEC has implemented further staff training, and reviewed and appropriately removed the subject materials such that documents containing sensitive personal information are no longer publicly accessible. Sensitive personal information will be redacted prior to providing those documents in response to an open records request.
EEC does not have any information indicating that any personal information has been misused. However, out of an abundance of caution, given that the files were hosted for an extended period of time, EEC initiated the personal information security breach protocols as required by Kentucky law, which includes notifying impacted individuals through personal communication and by notifying local, regional and statewide media, including broadcast media.