Please read this newspaper’s account of how 15,000 library patrons’ personal information — names, phone numbers, e-mail addresses, street addresses, children’s names and library card numbers — wound up accessible to the public as a result of… something happening to the systems at the Lakeland Library Cooperative in Michigan. That’s the rub, they’re not even sure. The interim director (what a lousy time to be an interim director) said that they “think there was a software malfunction” and then later in the article is paraphrased as saying “the library last month underwent a software upgrade on their system, but was not able to determine if that was the source of the problem.” Does this inspire confidence? No, it does not. E-problems?
Mistakes happen, we all know that, but this story tells me that either the reporter doesn’t understand computers enough to write about this incident, or that the person who runs the Library Cooperative does not understand what happened, or possibly both. I’m aware that there is always a third option, that they are trying to be deliberately obscure to keep people from hacking into their system, but if I were a patron of one of the affected libraries, I’d like mor information, a lot more. This is a file that is on the web, right? There should be log files that show how many times that page was accessed. Wouldn’t it be reassuring if that number was, say, three instead of perhaps a hundred? There is nothing on any of the Coop’s web sites about this incident even though the news story has been online all day (I found it through LISNews).
Oddly it looks like the previous director left the job somewhat mysteriously a few weeks ago. According to this short story, all the member libraries will be notified and 15000 new bar codes will be issued.
The Michigan Library Privacy Act says in part:
97.604 Violation of § 397.603; liability; civil action; damages; attorney fees and costs.
Sec. 4.
A library or an agent or employee of a library which violates section 3 shall be liable to the person identified in a record that is improperly released or disclosed. The person identified may bring a civil action for actual damages or $250.00, whichever is greater; reasonable attorney fees; and the costs of bringing the action.