Governing Magazine/February 1995

TECHNOLOGY COLUMN

THERE ARE WAYS TO PROTECT SENSITIVE DATA

By Jerry Mechling

Jerry Mechling is director of the Program on Strategic Computing and
Telecommunications in the Public Sector at Harvard University's
Kennedy School of Government. To reach him, call 617-495-3036 or send
e-mail to jerrym@ksgrsch.harvard.edu.

While information today is captured mostly on paper and used a few
times locally, in the technologically rich and not-so-distant future
it will be captured electronically and repeatedly reused on a global
basis. There is great good news here. Information readily shared over
networks allows services, including those provided by government, to
be delivered less expensively and with greater customization.
 But there is also a dark side. Networks are vulnerable to security
threats, and aggressive secondary usage of personal information
threatens privacy. The concern is not only with government ("Big
Brother") but also with the growing abuses of commercial direct
marketing ("How did they get my name?"). To many public managers, data
security and privacy look like time bombs waiting to wreak havoc in
the Information Age. Managers feel anxious about the pending
explosions and, at the same time, helpless to do much about them.
 To examine security and privacy concerns, we recently assembled at
Harvard a group of leading-edge public and private managers, along
with security and privacy experts. After two days of exploring and
debating recent experience and research, this group concluded that
there is much that can be done to reduce security and privacy risks,
including:
 Secure information practices. Over the years, professional
associations such as the Institute of Internal Auditors and the
Information Systems Security Association have developed a group of
generally accepted security practices. These have been shown to be
effective, yet they often are not utilized in today's public- and
private-sector organizations. Steps that should be taken include the
separation of duties, so that more than one party is required for
actions which risk data contamination or destruction, and the
development and rehearsal of disaster-recovery procedures. A
particular need is to strengthen weak password systems by educating
users on proper password use and by investing in stronger user
identification techniques, such as challenge-response systems ("What
is your mother's maiden name?") and biometric devices (fingerprints,
retina scans).
 Fair information practices. The key imperatives here flow from a
seminal federal study in the 1970s and have recently been updated by
the National Information Infrastructure Task Force: Don't build secret
databases; don't use personal data for incompatible secondary purposes
without consent from the individuals involved (unless privacy is
explicitly subordinated, typically by legislation, to competing social
values, as with criminal investigations); provide individuals with
rights to inspect and correct their own data; and take precautions to
assure data reliability and prevent misuse. Fair information practices
may require the appointment of security and privacy officials to
provide a focal point for establishing and monitoring policies.
 Systems planning. A key reform is to consider security and privacy
concerns up front as part of the systems design and development
process. Many security or privacy shortcomings, such as inadequate
redundancy or inadequate record-keeping on the use of sensitive
information, are expensive to repair after the system has been
developed but readily handled if dealt with in the original design.
 As an example, consider the development of a system to check for drug
interactions and possible health care fraud in Ontario, Canada. One
approach would be to allow pharmacists to directly view personal drug
histories. In Ontario, however, the system, not the pharmacist, does
the look-ups while the pharmacist receives conclusions about possible
drug interactions or fraud; full access to the supporting data is
limited to special investigative personnel. The system provides the
benefits of networked health care data without many of the privacy
vulnerabilities.
 In general, the Harvard group acknowledged that information
technologies raise new trade-offs among security, privacy and customer
service. "Best practice" on a voluntary basis is unlikely to solve
these problems, since there are strong incentives to underinvest in
security protection (the costs are visible, while the benefits are
invisible) and to overindulge in privacy violations (the benefits of
reusing personal data without permission are substantial, while the
penalties are minimal). We will ultimately need new legislation, but
are unlikely to pass good laws soon.
 The issue thus remains a time bomb, but one where managers can take
proactive steps to protect themselves, their agencies and the public.
In fact, over the past 20 years, a substantial body of "good practice"
has emerged which has not yet worked its way into "common practice."
We need to accelerate that process. Why not begin today?

----------------------------------------------------------------------

Copyright 1995, Congressional Quarterly, Inc. Reproduction in any form
without the written permission of the publisher is prohibited.
Governing, City & State and Governing.com are registered trademarks of
Congressional Quarterly, Inc.
http://governing.com