The Government’s Data Security Breach and “Data Neutralization”
The AP reports an enormous breach of data security by the government:
Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.
The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.
This data breach is one of the largest ever. There are several points worth mentioning about this fiasco:
1. The government can be just as careless with people’s personal data as businesses and other organizations, which last year revealed data security breaches affecting millions of Americans — over 50 million according to one tally.
2. Keeping massive quantities of personal data creates risks to individuals. People must depend upon those keeping their data to maintain good security practices. This is one reason why, whenever the government collects data about people, we should be concerned.
3. Many data breaches are low-tech and are due to just a few irresponsible individuals or bad apples. Often, all it takes is for one dishonest or careless employee to breach security. In this instance, an employee took the data home, something that the employee wasn’t supposed to do. But why weren’t there better limits in place at Veterans Affairs? It is amazing that an employee can just walk out with personal data on 26.5 million people. Shouldn’t procedures be in place to prevent such things from happening?
4. Congress should look into legislation to neutralize the damage that all the leaked data can cause to people. Many of the laws addressing data security breaches focus on notifying people about breaches and on limiting such breaches. That’s all well and good, but more needs to be done. We need a “data neutralization” law. By “data neutralization,” I mean neutralizing certain pieces of personal information to reduce the potential damage that can be caused when such information is leaked. Leaked Social Security numbers and other identifying information wouldn’t cause so much trouble if the government restricted businesses and other organizations from using them as passwords to gain access to accounts or to verify identity. If these practices are stopped, the leaking of a Social Security number becomes much less harmful.
1. Solove, Free Credit Reports: My Exciting Adventure (Concurring Opinions) (October 2005)
2. Solove, Notice Much Delayed: The FDIC Security Breach (PrawfsBlawg) (June 2005)
3. Solove, Data Security Breach Supersized: 40 Million People Affected (PrawfsBlawg) (June 2005)
4. Solove, Data Leaks: Déjà Vu All Over Again (PrawfsBlawg) (June 2005)
5. Solove, Tallying Up Data Security Breaches (PrawfsBlawg) (May 2005)