Email breach prompts Falmouth to seek change in Maine FOI law
On June 9 at 9:10 p.m., subscribers to the town's email notification system received an email from resident Michael Doyle with the subject “Upcoming Elections.” The message, delivered by the town's server, included nothing but a link to Doyle's website, Falmouth Today.
The email was allowed to be sent as a result of a mistake by the town's web hosting company, Virtual Town and Schools.
The email addresses of the town's approximately 3,100 subscribers were obtained by Doyle through a Freedom of Access Act request. On May 31 he was provided the list of addresses, including a technical email address used by authorized town officials to post to the notification system.
According to Town Manager Nathan Poore that address gave Doyle access to the back end of the town's website.
After the breach, Poore and some town councilors said they heard from many residents concerned about the safety of their personal information. At the town council meeting on June 18, Poore assured residents that billing information and Social Security numbers are all safe because they are handled separately from the town mailing list.
After working with Virtual Town and Schools to correct the problem and enable the correct security measures, Poore said he contacted the MMA about drafting an amendment to the Freedom of Access Act which would keep the email addresses of website subscribers out of the public record.
“People sign up for (notifications) to just be informed and the concern we're hearing from citizens is 'are you selling this to outside agencies or businesses?'” he said.
Geoff Herman, director of state and federal relations at the Maine Municipal Association, said this is not a common problem and that he doesn't know of any other town experiencing a problem similar to Falmouth's.
Herman also said the MMA is not too far along in the process of drafting the amendment, but has laid out a basic structure for the change.
“The concept is to make an amendment to the Right to Know Law in such a way that a person's email address –or the personally identifying information of a person who was communicating with a government entity for no other purpose than to receive notification – that personal information, contact information, would not be a public record,” he said.
The revision would be similar to one passed by the Legislature in 2011, which allows people using the Department of Inland Fisheries and Wildlife website for things like renewing hunting or fishing licenses or other notification systems to opt out of having their email address become a public record.
The draft amendment will have to be approved by the MMA policy committee before it is submitted to the Maine Right to Know Advisory Committee, and ultimately, the Legislature, Herman said.
Poore said the narrow language of the proposed change would only apply to those email addresses subscribed to the town's notification system. Email used for two-way communication would remain public.
He also said that there is a lot more work to be done on this issue.
“The ball has just gotten rolling," Poore said. "It's going to the right place first, which is the advisory committee."
Judy Meyer, a member of the Right to Know Advisory committee and managing editor of the Sun Journal newspaper in Lewiston, said it is the committee's plan to look at the issue in general at an upcoming meeting.