Government Data Security Malfeasance!
Because you have the right to my opinion
9 October 2006
In breaking news, somebody broke
into the Louisburg NC Motor vehicle department and
computers. I live right outside of Louisburg, and I'm not the
slightest bit surprised. It's no secret that Franklin County has a very
high poverty and crime rate, yet nobody in the DMV considered putting bars on
Rural North Carolina is not
known for the best and the brightest, but the really astonishing part of this
story was that MY OWN personal information (name, driver's license number, SSN,
address) was stolen from a Personal Computer!
I first learned about the theft
of my personal data in an internet news alert from England, where a security
expect bemoaned the incredible stupidity of the State of North Carolina to allow
confidential data to be stored on a PC.
I earn my living as a database
security expert, and I could not believe that this story was true. State
agencies have been using centralized databases for decades and it was
inconceivable to me that the department of motor vehicles could be stupid enough
to allow data to reside on a PC!
In my book "Oracle
Privacy security Auditing", I write at-length about corporate responsibility
to protect the privacy of data that is entrusted to them, and discuss the
Federal laws which provide criminal penalties for corporate malfeasance that
leads to the disclosure of confidential information.
It's not the theft of the
personal computers that troubles me, it's the fact that some Information
Technology professional at the DMV allowed 16,000 peoples confidential data to
reside on these personal computers! I've been a full-time database
administrator for 25 years, and I've designed DMV systems for foreign countries,
and the very first rule for protecting data privacy is to never allow private
information to reside on a small personal computer!
We have strong Federal laws to
protect our privacy, and we mandate financial institutions to protect our data
(The GLB Act), and hospitals are required by HIPAA to carefully protect our
privacy. But guess what? The government never got around to passing
laws requiring State and Federal Agencies to take reasonable precautions to
protect our own data privacy.
If this had happened in the
corporate world, the database administrator, his superior, and everyone up the
chain of command to the Chief Information Officer would have been rightfully
terminated for blatant malfeasance.
I'm embarrassed about the sorry
state of data privacy in the North Carolina DMV, and I'm willing to bet that the
DMV has not taken emergency actions to scrub the confidential data off of the
PC's in the other government motor vehicle offices.
So, here I am, with my private
data in the hands of criminals all due to an act of unbelievable stupidity.
If the crooks who stole those
PC's have 20% of the brains of the N.C. State database administrator who allowed
my personal data to remain on the PC's, then well, I'm toast.
It's time we forced our state
and federal legislators to pass laws that ensure data privacy within government
systems, laws with sharp teeth and compensation for the victims.