September 2008
Searching for solutions
When a brokerage firm or retailer has a data leak, consumers can take their business elsewhere, as almost one-third of breach
victims do, according to a recent study by the Ponemon Institute, a research group in Traverse City, Mich. But as customers
of the government, consumers don’t have a choice about giving personal data to federal, state, and local officials. Consumers
Union, the nonprofit publisher of Consumer Reports, believes government needs to take these information security actions:
Safeguard computer data. Under new information security rules from the Office of Management and Budget, federal agencies are installing encryption software on all laptops and other devices. They are also imposing security controls to make sensitive electronic data viewable only by authorized employees. State and local governments should impose similar rules.
Protect ID cards. The federal government is removing Social Security numbers from veterans’ benefits cards and expects completion next year. But the numbers are visible on Medicare cards carried by more than 40 million Americans. Consumers Union supports federal legislation to change this and has proposed model information secrity state legislation.
Fix the courts. Federal courts require that SSNs, financial-account numbers, and the names of minors be removed from court records, but they don’t prohibit posting of other sensitive information. Under experimental rules adopted last year for federal courts, you can ask your lawyer to request that your court documents not be posted online for general public access. But inforation security rules vary in local courts. Assistant U.S. Attorney Peter Winn, who wrote a paper proposing the new federal-court rules, suggests that people with cases contact the court clerk’s office to find out whether their court records are posted online and if so, how to get sensitive data redacted.
Provide prompt notification. A bill that would require federal agencies to publicly report breaches was passed in June 2008 by the House and is under consideration by the Senate. At least 40 states have also passed data-breach notification laws, though not all of them compel disclosure of government leaks. Ohio became one of the first states with a chief privacy officer, appointing Sol Bermann to that role in 2007. He says, "Trying to build a culture of privacy and security is a little more challenging than it is in the private sector."
An "information czar" may be needed at the federal level, says U.S. Rep. Tom Davis, R-Va., ranking member and former chairman of the Committee on House Oversight and Government Reform. "We want to consider funding penalties for agencies who fail and personnel reforms to make sure we have people who will ensure those agencies succeed," he says.
Having government behave like a business that sees citizens as valued customers is considered key. "Government employees at all levels must face concrete negative consequences for security lapses so that they learn to treat consumer data as if it were as valuable as gold," says Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, "because that’s exactly what it is in the hands of an identity thief."
Safeguard computer data. Under new information security rules from the Office of Management and Budget, federal agencies are installing encryption software on all laptops and other devices. They are also imposing security controls to make sensitive electronic data viewable only by authorized employees. State and local governments should impose similar rules.
Protect ID cards. The federal government is removing Social Security numbers from veterans’ benefits cards and expects completion next year. But the numbers are visible on Medicare cards carried by more than 40 million Americans. Consumers Union supports federal legislation to change this and has proposed model information secrity state legislation.
Fix the courts. Federal courts require that SSNs, financial-account numbers, and the names of minors be removed from court records, but they don’t prohibit posting of other sensitive information. Under experimental rules adopted last year for federal courts, you can ask your lawyer to request that your court documents not be posted online for general public access. But inforation security rules vary in local courts. Assistant U.S. Attorney Peter Winn, who wrote a paper proposing the new federal-court rules, suggests that people with cases contact the court clerk’s office to find out whether their court records are posted online and if so, how to get sensitive data redacted.
Provide prompt notification. A bill that would require federal agencies to publicly report breaches was passed in June 2008 by the House and is under consideration by the Senate. At least 40 states have also passed data-breach notification laws, though not all of them compel disclosure of government leaks. Ohio became one of the first states with a chief privacy officer, appointing Sol Bermann to that role in 2007. He says, "Trying to build a culture of privacy and security is a little more challenging than it is in the private sector."
An "information czar" may be needed at the federal level, says U.S. Rep. Tom Davis, R-Va., ranking member and former chairman of the Committee on House Oversight and Government Reform. "We want to consider funding penalties for agencies who fail and personnel reforms to make sure we have people who will ensure those agencies succeed," he says.
Having government behave like a business that sees citizens as valued customers is considered key. "Government employees at all levels must face concrete negative consequences for security lapses so that they learn to treat consumer data as if it were as valuable as gold," says Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, "because that’s exactly what it is in the hands of an identity thief."
