The thought of secret government codes conjures up images of spy novels, shoe phones, and self-destructing messages. But while spy technology has advanced over the years, many government agencies remain stuck in the days of Maxwell Smart–especially when it comes to data security.
Almost a year ago we learned that the personal and confidential information of 3.5 million Texans, including teachers, State employees, and retirees, was left unprotected and unencrypted on State servers and exposed to potential theft. Just a few months after that breach, a second but less-reported incident with another Texas state agency, the Texas Department of Assistive and Rehabilitative Services, potentially exposed 4,900 current and former agency employees’ personal information. Again, the alleged cause was unencrypted and unprotected data.
While this may seem like old news, the incidents continue. Recently, on April 27, 2012, the Texas Attorney General’s Office responded to requests for Texas’ voter database from lawyers challenging Texas’ Voter ID Law. In producing data on 13 million Texas voters, the Attorney General’s Office mistakenly believed the database included only the last four digits of voters’ Social Security Numbers. However, the data actually included the full nine-digit numbers for nearly half of the individuals. Fortunately, the information was encrypted and was produced to attorneys already under a court order to keep the information confidential. But the exposure of the data could have been worse.
Outside of Texas, larger and more problematic government data breaches continue. The Utah Department of Health reported that, in early April, nearly 280,000 Medicaid clients had their names, birthdates, and Social Security Numbers exposed by a hacker accessing an exposed agency server. In addressing the issue, Utah’s governor admitted that while data was encrypted in transit between agencies, it was not encrypted when on Utah’s servers. The governor added that the breach was possibly related to the failure to change a default password and a contractor’s failure to provide encryption safeguards while implementing the sensitive agency software. Utah’s cost of working with the credit-reporting company Experian following the breach is estimated to be $460,000. Additionally, Utah hired a new health data security ombudsman to oversee case management, credit counseling, and public outreach for individuals impacted by the breach.
As recently as May 12, 2012, California disclosed that a third party vendor, working as a contractor for the California Department of Social Services, transmitted private data stored on microfiche to the State Compensation Insurance Fund. The data included payroll data and other sensitive information concerning California residents. The third party vendor apparently sent the data through the U. S. Postal Service without any added security, and the package arrived damaged and missing thousands of entries. While the investigation of that incident continues, California announced yet another breach on June 1st- a binder containing private medical information was stolen from an unattended vehicle owned by a Department of Health’s Licensing and Certification Program employee. The binder included names, birthdates, medications, and medical record numbers of patients who participated in a survey at Bakersfield Memorial Hospital on May 7, 2012. The cost of responding to this incident is still unknown.
These events have a common theme: the lack of protection and processes for managing sensitive state agency data. But there are simple steps agencies can take to address these potential problems. For example, the Texas Administrative Code Chapter 202, Data Security Standards for State Agencies, includes simple steps agencies should implement to prevent such breaches. The Chapter includes requirements that data be encrypted while on state servers, and further prohibits staff from copying or storing data on a portable computing device, removable media, or a non-agency owned computing device that is not encrypted. See 1 TAC §202.25. This Chapter also sets out requirements that State agencies identify all information owners, custodians, and users of sensitive information. The custodians are further charged with acting as the person responsible for implementing controls and processes to limit exposure of sensitive information.
Based on the continued reporting of data breaches among state agencies, it is imperative that agency leaders ask the following questions:
1. Does my agency encrypt all data on our servers?
2. Does my agency encrypt data while in transit?
3. Does my agency personnel know our rules regarding transferring government data to personal devices?
4. Do I know who my data custodian is?
If the answer to any one of these questions is no, it is time to get a data security program in place.
This message will self-destruct in 5…4…3………