On March 20, 2015, attorneys for the Central Dauphin School District in Pennsylvania notified the Maryland Attorney General’s Office of a breach involving visitors’ drivers license images.
The district has a security system that involves scanning visitors’ drivers licenses when they enter the administration building. The laptop that stored those images, which was provided by an unnamed external technology services provider, was returned to the provider on or about February 20, 2015 after being used for about two weeks.
Unfortunately, and it’s not clear to me whose responsibility this really was, it seems nobody scrubbed or securely deleted the images before the laptop was returned to the vendor or before the vendor reassigned the laptop to another client. The district’s lawyers make it sound like it may have been the vendor’s responsibility to do that.
In any event, the district learned of the breach on March 13, and the images were deleted from the laptop. Approximately 50-60 visitors had their drivers license images on the laptop, but only a sales representative from the vendor and the IT director for the other school district would have had access to the images.
You can read the notification on the Maryland Attorney General’s Office (pdf).
It’s the responsibility of the person who bought the thing that scans licenses without thinking it through.