Yesterday, while conducting some researching for an article I’m writing for one of my clients, I skipped over to the Privacy Rights Clearinghouse’s website to get the latest update on one of my favorite subjects: data breaches. Yes, I know I need to get out more often, but I’ve had a front-row seat for this suddenly hot issue since I joined the staff of the International Association of Privacy Professionals in five years ago, (which, I guess, is a privacy geek’s way of saying, “I liked that band waaaaay before they were popular”).
In the process of reviewing the year in failed data security, I noticed a very disturbing trend that did not come as a surprise, but which hadn’t struck me as until that moment: while TJX Corporation has been rightly getting raked over the coals since the January 17 disclosure that credit card and other personal information of more than 45 million customers had been compromised, the data privacy of most Americans has been perpetually at risk thanks to information security bungling at the hand of local, state, and federal government agencies.
Add state run colleges, universities, and primary and secondary schools in the mix and the story gets more disturbing.
Perhaps we’ve grown numb to garden variety privacy violations. After all, when the Veterans Administration allows an unencrypted laptop computer with the names, addresses, Social Security numbers, and other individual-specific information of more than 28 million current and former military service members (a breach that affected me) to go home with an employee, and that computer is stolen, we can’t be expected to get too worried when a computer hard drive is stolen from the California National Guard and the identities of a mere 1,300 soldiers deployed to the Mexican border are put at risk. Or when 4,000 employees at the Indiana Department of Transportation mistakenly have their names and SSNs posted to a non-secure network. Or when sensitive information on 12,000 Broward County, Florida child welfare cases, including adoption information, is stolen by a dishonest employee.
And the list goes on.
According to the Privacy Rights Clearinghouse’s tally, more than 6.2 million people have had their personal information stolen or otherwise put at risk because of security failures at government agencies since January 1, 2007. Included on the list of offenders is:
Wisconsin Department of Revenue
North Carolina Dept. of Revenue
Internal Revenue Service
United States Veterans Administration (Seattle, Wash.)
Chicago Board of Elections
Washiawa (Honolulu, Hawaii) Women Infants and Children program
Indiana Department of Transportation
Massachusetts Department of Industrial Accidents
New York Department of State
U.S. Veterans Administration (Birmingham, Ala.)
New York Department of Labor
Indiana State Government constituent services website
Social Security Administration (Milwaukee, Wisc.)
California Department of Health Servicse
United States Census Bureau
California National Guard
United States Department of Agriculture
Ohio State Auditor
St. Mary Parish, Louisiana Child Support Services
Georgia Department of Community Health
Georgia Secretary of State
Federal Emergency Management Administration
Baltimore County Department of Health
Note that the above doesn’t include school systems and state colleges and universities, which would have added no fewer than 275,000 names to that number. Offending schools and systems include:
University of Arizona
University of Idaho (twice)
University of New Mexico (twice)
Clay High School (Ohio)
Eastern Illinois University
University of Missouri
University of Nebraska
Central Connecticut State University
East Carolina University
Iowa Department of Education
City College of San Francisco (twice)
Georgia Institute of Technology
University of Montana – Western
University of California, San Francisco
Chicago Public Schools
Black Hills (South Dakota) State University
Ohio State University
New Mexico State University
When TJX blows it, lawyers get involved, Congressional committees are assembled, and customers can vote with their feet by choosing to shop at competitive stores. When the agencies at which we must do business mess up, where do we constituents go? Is there another agency competing to collect my tax dollars, or must I still send my check to the IRS – even if I don’t feel as though I can trust that organization?
Market forces compel TJX to respect the customer. A sense of civic responsibility should be all that is needed to ensure that public agencies maintain the public trust.