Digital leaks plugged

After two embarrassing breaches, Wake County is making changes to better protect its digitized data.

In a written report to commissioners, County Manager David Cooke said the local government has made several improvements. The move comes after the former girlfriend of Deputy County Manager Joe Durham repeatedly accessed the government's computer network and the theft of an Emergency Medical Services laptop containing the names and Social Security numbers of more than 4,600 patients, paramedics and firefighters.

"Those events raise questions in people's minds," Cooke said Wednesday. "I think we owe it to the people whose information we keep that it is as secure as possible."

Since the laptop went missing in January, the county's Information Services technicians have installed new hard-drive encryption software on all EMS laptops and have established new protocols that require users to frequently change their passwords. Software changes have also been made to store sensitive information on the laptops for a shorter time before the data is transferred.

Annie I. Ant-n, a professor of computer science at N.C. State University, said the county's security changes appear reasonable but that the county should work faster than its 2009 deadline to implement improvements.

Data security experts have said the access of Durham's e-mail following the theft of his password could have left the county's wider computer system vulnerable, but Cooke contends that there was a low risk of that actually occurring.

Raleigh lawyer Christina Paulette Medlin, 31, is charged with one felony count of accessing government computers after allegedly tapping into Durham's e-mail account more than 1,400 times.

A district judge last week continued Medlin's case until October. Her lawyer has said Medlin was romantically involved with Durham and accessed his computer to try to find e-mail messages from other women.

After county IT officials became aware of the issue in December, a change required computer users to increase the minimum length of their passwords from four characters to eight. A "three strikes and you're out" policy was also added to lock the account if anyone tries to access it with the incorrect password too many times.

It is not clear, however, if either of those precautions would have stopped Medlin, whose lawyer says the woman gained access to Durham's password when he failed to properly log out after accessing his work e-mail from her computer.