Government Data Security Malfeasance! Because you have the right to my opinion

9 October 2006

In breaking news, somebody broke into the Louisburg NC Motor vehicle department and stole their computers.  I live right outside of Louisburg, and I'm not the slightest bit surprised.  It's no secret that Franklin County has a very high poverty and crime rate, yet nobody in the DMV considered putting bars on the windows.

Rural North Carolina is not known for the best and the brightest, but the really astonishing part of this story was that MY OWN personal information (name, driver's license number, SSN, address) was stolen from a Personal Computer!

I first learned about the theft of my personal data in an internet news alert from England, where a security expect bemoaned the incredible stupidity of the State of North Carolina to allow confidential data to be stored on a PC.

I earn my living as a database security expert, and I could not believe that this story was true.  State agencies have been using centralized databases for decades and it was inconceivable to me that the department of motor vehicles could be stupid enough to allow data to reside on a PC!

In my book "Oracle Privacy security Auditing", I write at-length about corporate responsibility to protect the privacy of data that is entrusted to them, and discuss the Federal laws which provide criminal penalties for corporate malfeasance that leads to the disclosure of confidential information.

It's not the theft of the personal computers that troubles me, it's the fact that some Information Technology professional at the DMV allowed 16,000 peoples confidential data to reside on these personal computers!  I've been a full-time database administrator for 25 years, and I've designed DMV systems for foreign countries, and the very first rule for protecting data privacy is to never allow private information to reside on a small personal computer!

We have strong Federal laws to protect our privacy, and we mandate financial institutions to protect our data (The GLB Act), and hospitals are required by HIPAA to carefully protect our privacy.  But guess what?  The government never got around to passing laws requiring State and Federal Agencies to take reasonable precautions to protect our own data privacy.

If this had happened in the corporate world, the database administrator, his superior, and everyone up the chain of command to the Chief Information Officer would have been rightfully terminated for blatant malfeasance.

I'm embarrassed about the sorry state of data privacy in the North Carolina DMV, and I'm willing to bet that the DMV has not taken emergency actions to scrub the confidential data off of the PC's in the other government motor vehicle offices.

So, here I am, with my private data in the hands of criminals all due to an act of unbelievable stupidity.

If the crooks who stole those PC's have 20% of the brains of the N.C. State database administrator who allowed my personal data to remain on the PC's, then well, I'm toast.

It's time we forced our state and federal legislators to pass laws that ensure data privacy within government systems, laws with sharp teeth and compensation for the victims.