Texas law allows residents’ sensitive personal information to be exposed on county websites
Editor’s note: Texas Public Radio (TPR) did not mention specific document types or the names of most affected individuals in order to protect people’s privacy and not disclose methods through which people could access unredacted social security numbers. Nor did TPR name all counties with exposures or those that did not respond to comment. TPR tried to only name counties that redacted or are actively working to redact documents with social security number exposures.
For more than a decade, some Texas county clerks’ offices have left thousands of unredacted social security numbers online — exposing people to COVID relief fund theft and other identity crimes. County clerks never told people they were exposed, and the state government hasn’t prioritized protecting this crucial piece of their personal information.
Even county clerks are at risk.
Hidalgo County Clerk Arturo Guajardo Jr. waited to see the printed screenshot of a document found on his department’s public records website — which anyone can access.
“Let me see it. Are you sure it's mine?,” he said. Unbeknownst to him, his own office had uploaded a document without redacting his social security number. Texas Public Radio had previously contacted Guajardo to notify him of the exposure.
“I remember you telling me that. Wow, that is my number,” he said in disbelief after looking at the document. He laughed. “I’m filling out the [redaction request] form right after this,” he said.
Since 2007, the state government no longer allows social security numbers on certain documents and must redact this information if they receive a redaction request. State law further allows county clerks to review and redact older records, many of which contain unredacted social security numbers. But they aren’t required to do so. And many do not, alarming privacy advocates.
“So very problematic,” said Emory Roane, the Policy Counsel with Privacy Rights Clearinghouse, as he shook his head and sighed. “Very, very alarming.”
Social security numbers should be kept confidential because they’re unique and associated with a person since birth, Roan said. They’re used throughout peoples’ lives for things like loans, medical paperwork and, more recently, obtaining COVID-19 relief funds.
Criminals can use this identifier along with other basic pieces of information to commit identity crimes such as financial, medical or benefit fraud.
“If we have a dataset right now that has people’s social security numbers publicly available, that is an enormous risk to all of those Texans that are included in that information,” said Roane.
These numbers are on public records that residents are required to file with their county clerk's office.
The availability of social security numbers is problematic for the state’s residents, and county clerks should allocate time and resources to solve this issue, according to State Sen. Juan “Chuy” Hinojosa of McAllen.
“It is within their domain. They've been entrusted with the information. They need to f****** deal with it,” he said.
Currently, counties are only legally obligated to provide redaction request forms to people who want their social security numbers removed from public view. However, they aren’t responsible for notifying those whose numbers are on county websites.
While some counties have taken action, including one that agreed to pull the numbers after TPR showed them their vulnerability, others still refuse to do so even after TPR reached out.
In 2020, Texas ranked among the top states for identity theft, according to the Federal Trade Commission 2020 Data Book. That year, they received almost 135,000 identity thefts reports from Texas.
Access to such information can lead to a myriad of crimes with a long-lasting impact. In 2020, according to the FTC, loan and lease fraud were among the most common forms of fraud in Texas. While the FTC does not have estimates on how much money was lost solely to identity theft at a state level, in 2020, they reported more than $200 million in fraud losses in Texas, of which identity theft was by far the most common.
A 2007 law changes accountability for county clerks
Most Texans could face legal penalties for disclosing a social security number, but a 2007 change in state law exempts county clerks from criminal liability for doing just that.
Living peoples’ social security numbers had been deemed confidential under a 2005 amendment to an existing Texas law. Then-Texas Attorney General Greg Abbott reinforced this point in a 2007 opinion which states: “Texans have a legitimate expectation that their SSNs will remain confidential.”
But county clerks claimed that redacting old documents required too much work and money which “halted business and commerce.”
Abbott walked back his stance while the Texas legislature amended the law to absolve county clerks.
As of this 2007 amendment, county clerks are not liable for providing documents that contain unredacted social security numbers.
While Abbott, now governor, expressed his support in favor of social security number confidentiality, he still has not addressed the problem. His office did not respond to multiple requests for comment.
Another 2007 amendment also allowed for social security number redaction requests and prohibited social security numbers on certain document types. Now, forms may require only limited disclosure of a few social security number digits, but thousands of documents already filed in 2007 were not retroactively redacted.
Privacy protection varies by county
Across Texas, there are rampant inconsistencies in county clerks’ handling of social security numbers.
Texas Public Radio reached out to 16 Texas counties with the same questions about their social security number privacy policies. TPR chose counties based on their public records databases’ security levels and made sure to include the six most populated counties. Eight responded.
While some counties have taken the initiative of automatically redacting past records with computer software, other county clerks say they will not redact them without a request from the person whose number is exposed.
However, those county clerks haven’t alerted citizens whose numbers are exposed or have to take steps to protect themselves.
“You would expect that when a government agency exposes information of this level of sensitivity, the bare minimum would require notification to the individuals,” said Roane, the privacy advocate.
Rachel German, an instructor in the Masters of Security and Privacy Program at the University of Texas School of Information, said this is probably a case of limited resources and county clerks’ duty to make these documents publicly available.
But, she said, that shouldn't keep them from protecting people’s social security numbers.
“I do believe that there's an obligation for them to take it down once it's been notified to them that this information is out there,” said German.
Some counties have prioritized protecting this information. Others haven’t.
Fort Bend County purchased software to automatically redact personal identifiers like social security numbers even after the law was amended to absolve them from criminal liability.
“Although we follow [2007 law], we have been proactive in automated redaction of all our public records containing SSNs,” said Laura Richard, Fort Bend County Clerk, in an email.
Other counties like Bexar County did the same. “We didn't think it was a great idea to wait for people to let us know to redact them if we knew what documents had social security numbers,” said Raquel Montalvo, Senior Recording Division Chief.
However, Bexar County did not address all social security number exposures. Once TPR reached out to the Bexar County Clerk’s office, senior recording division chief Raquel Montalvo said they’d go back and redact the documents they missed.
Unlike Fort Bend or Bexar County, Brazos County interprets the law as to not allow automatic redactions of social security numbers on any documents. “There is not authorization per statute for us to automatically redact Social Security Numbers,” said Karen McQueen, Brazos County Clerk, in an email.
On top of the likelihood that someone might not know they’re vulnerable, the form they’re required to submit can itself be a liability.
The Denton County Clerk’s office had social security number redaction requests posted online as recently as 2018, some of them with the requestor’s social security number visible.
TPR contacted the Denton County Clerk’s office and they removed all redaction requests with unredacted social security numbers from the database. However, Juli Luke, the Denton County Clerk, did not express any intention to redact other documents with exposures.
The Hidalgo County Clerk’s office, whose county clerk’s own social security number was displayed, said they had no immediate plans to redact the numbers retroactively.
“The county clerk and a district clerk, by law, are exempt from having to redact them,” said Annette Muniz, Hidalgo County Clerk's Office chief deputy.
Muniz said the office will only redact documents with an official request from the filer. “When individuals come to us and tell us that something's been filed with their social security number, depending on what it is, we can keep it from view from the public, but they would have to let us know,” she said.
But, according to Muniz, it’s too resource-intensive to notify people who don’t know their social security number is visible. “For us to go out and inform them that would be really, really difficult and really costly to the county,” Muniz said.
On their website, the Attorney General of Texas lists ways to protect against identity theft, including not sharing personal information over the internet “unless you have a trusted relationship with the requestor and you initiated the contact.”
TPR sent 10 emails over two months requesting an interview and notifying the Attorney General’s office that social security numbers were on Texas county government websites without the filers’ knowledge. In an email, they responded by referencing the relevant Texas government codes.
Texas state laws
Texas privacy protection laws are lacking compared to other states.
For example, California does not exempt government entities from legal responsibility if social security numbers are unknowingly exposed. California also allows consumers to contact businesses about what personal information they may have.
In cases of breaches — where someone who is unauthorized accesses sensitive personal information — mandatory disclosure laws require the attacked entity to notify those whose data is compromised.
Texas was one of the last states to pass data breach notification laws and this protection does not extend to victims of government agency breaches.
“There's no real obligation on the government agency that is exposing this information currently to notify individuals,” Emory Roane said.
States with strong privacy protection laws like California include government agencies in legislation like breach notification laws.
“You would expect that when a government agency exposes information of this level of sensitivity, the bare minimum would require notification to the individuals,” Roane said, “we would certainly expect that the attorney general would then publish that disclosure that exposure on their website along with any other data breaches that they've received from businesses.”
German, the security and privacy professor, said the Texas Legislature should address the issue of unredacted social security numbers.
“It needs to come from above, in the Texas government, to require that they make this a priority. That [county governments] put the man power towards this when it's discovered and reported to them,“ she said.
However, state lawmakers disagree it’s their responsibility.
“The counties have to make this a priority. I can't believe that their excuse is gonna be that we don't have the resources,” Senator Hinojosa said.
He said the hundreds of millions in COVID relief money Hidalgo county received should go towards fixing this exposure. If county clerks are looking to remedy the situation, they need to contact legislators. “If they want any adjustment, change the law, they have to come and ask us. And they have not requested any type of change,” he said.
Hidalgo County clerk Guajardo Jr. insists that lack of funding and state lawmakers’ support hinders his department from fixing what he knows is a problem.
“I am in complete agreement that we could do more to protect these social security numbers,” Guajardo said.
However, the state government doesn’t enforce or provide resources for county clerks to improve the security of their records.
Guajardo said the county clerk’s office only receives a general fund from the county that hasn’t changed in about 10 or 15 years. Their only financing option for any initiative outside their allocated funds is by adding filing fees to every document requested from the department.
In other words, the best a county clerk with insufficient funds could do is lobby for a bill that allows them to charge extra from people requesting public records and Guajardo has little hope the legislature would agree to an increase in fees.
“What we would need is for the state legislature or U.S. Congress to say, ‘We want you now to redact anything that has a social security number on it, and here's how you're going to pay for it.’” he said, “And then it would fall into place perfectly.”
After TPR showed Guajardo that his social security number is on the website he’s responsible for, he said he’s working with Kofile, the company that runs the website, to lessen the accessibility of social security numbers in the online database. But they are still not redacting documents without official requests or informing those who are exposed.
If you’re concerned your social security number is compromised, reach out to the county clerk’s office where your documents are filed to see if your social security number is redacted.
If your sensitive personal information is publicly available, you may request a redaction through the corresponding county clerk and, in most cases, they must redact your social security number.
If your identity is stolen, the Attorney General of Texas’ website contains resources on what to do if you’re an identity theft victim.
You can also reach out to the Identity Theft Resource Center for help on how to deal with and recover from identity theft.
Copyright 2021 Texas Public Radio. To see more, visit Texas Public Radio.