Keeping Personal Data Safe
Not many know how many cybersecurity breaches occur in state and local governments.
There was a "crawling clean-up" at the Indiana Department of Transportation recently. It had nothing to do with mops or dust rags. It involved computer files with the names and Social Security numbers of 4,000 transportation employees -- files that had been left on a non-secure server where they could be seen by all employees and some private contractors. Nobody knows how it happened, but Indiana IT employees spent three weeks scouring the agency's system, checking to see if other sensitive information might have been dragged or copied from secure to non-secure areas.
Most of us have read about major security problems suffered by the U.S. Department of Veterans Affairs in which the personal data of millions of vets landed in the hands of thieves, and about ChoicePoint, a corporation that in 2005 sold personal and financial information on 145,000 people to a criminal enterprise. Less widely known is how many breaches occur in state and local governments.
What we do know is that since the beginning of the year, officials have had to chase down security problems in agencies in seven states and three cities, as well as at seven state universities, one city university and a water district in California. This does not bode well for governments who want to assure constituents that they can protect the personal information they require citizens to submit for such massive personal data-collection projects as REAL ID.
The goof-ups happen in a variety of ways. In Wisconsin, the personal information exposed was related to adoption records. Pieces of private information on about 200 families were available on a state system for about four months. In Kansas City, Missouri, Internal Revenue Service computer tapes, transferred to the city as part of an information-sharing agreement, went missing mysteriously. The same with several CDs in Chicago that contained 1 million voters' Social Security numbers. Hawaii had to contact 11,500 families who received assistance through the Women, Infants and Children program after a health department employee stole information from a database. Governments need the speed and efficiency that electronic records provide and need to be able to share that information between agencies and levels of government. But the onus is on them to protect that information. I'd like to believe that all governments have strict policies on privacy protection and security and work on managing the risk, but they may have to attack it from additional angles. The National Association of State Chief Information Officers, in a research brief entitled "Keeping Citizen Trust," suggests several ways for CIOs to stay on top of the privacy issue. They range from setting security standards to "baking" privacy into new IT systems -- that is, designing privacy protections at a project's inception.
Several states have taken steps to ensure that any breach -- whether public sector or private -- is reported directly to them. Thirty-five states have laws mandating that companies or state agencies disclose security breaches of personal information.
Once the personal information cat is out of the bag, those who are affected need to know so they can protect themselves against fraud and identity theft. The personal data in Indiana that was exposed may not have been abused by anyone, but the department still sent out 4,000 letters to employees telling them to take precautions. Andy Dietrick, a DOT spokesman, was one of those who received a letter. He put a fraud alert on his credit accounts, after first checking with credit agencies that there had not already been identity theft. The transportation department couldn't provide the service. Each affected individual had to take care of his or her own credit record.
Not all data breaches, of course, have to do with electronic data. In Wisconsin, a legislative staff member took work home but stopped off at the gym first, where her car keys were stolen from her locker. The thief who broke into her car got away with a load of paper files containing personal information, including Social Security numbers, of one-third of Wisconsin Assembly members -- including that of Representative Marlin Schneider, an ardent advocate for privacy and records protection.
Since then, Wisconsin employees have been warned not to take any state information with personal data -- paper or electronic -- out of state buildings. The minority leader has requested privacy legislation to cover other actions that can be taken internally to tighten security. Usually, legislators prefer to focus on more attention-capturing, hot-button topics such as health care and prisons. But there's nothing like the personal information of legislators going missing to focus attention on the "mundane" issues of government.