Topic category:  Other/General

by Jim Kouri, CPP

The recent security breach at the Department of Veterans Affairs, in which personal data on millions of veterans were compromised, has created a firestorm of criticism from military families across the nation, especially since no one was notified that they were a victim of information theft.

In addition to the VA data theft, a computer hacker was successful in stealing a file containing the names and Social Security numbers of more than 1,500 people working for the Energy Department's nuclear weapons agency.

The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, New Mexico. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said. Unfortunately, none of the individuals whose information was contained in the stolen computer file was ever notifed of the problem.

These two cases have highlighted the importance of the federal government's procedures for protecting personal information.

As the federal government obtains and processes information about individuals in increasingly diverse ways, it remains critically important that it properly protect this information and respect the privacy rights of individuals.The Government Accounting Office was recently asked to testify on preventing and responding to improper disclosures of personal information in the federal government, including how agencies should notify individuals and the public when breaches occur.

Information security experts say that agencies can take a number of actions to help guard against the possibility that databases of personally identifiable information are inadvertently compromised.

The first key step is to develop a privacy impact assessment -- an analysis of how personal information is collected, stored, shared, and managed -- whenever information technology is used to process personal information. These assessments are required by the E-Government Act of 2002. They are a tool for agencies to fully consider the privacy implications of planned systems and data collections before implementation, when it may be easier to make critical adjustments.

The second key step is to ensure that a robust information security program is in place, as required by the Federal Information Security Management Act of 2002 (FISMA). Such a program includes periodic risk assessments; security awareness training; security policies, procedures, and practices, as well as tests of their effectiveness; and procedures for addressing deficiencies and for detecting, reporting, and responding to security incidents.

More specific practical measures aimed at preventing inadvertent data breaches include limiting the collection of personal information, limiting the time that such data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls such as encryption when data need to be stored on mobile devices.

When data breaches do occur, notification to the individuals affected in government and the public has clear benefits, allowing people the opportunity to take steps to protect themselves against the dangers of identity theft. Although existing laws do not require agencies to notify the public when data breaches occur, such notification is consistent with agencies' responsibility to inform individuals about how their information is being accessed and used, and it promotes accountability for privacy protection.

That said, care is needed in defining appropriate criteria for incidents that merit notification. Notifying individuals of security incidents that do not pose serious risks could be counterproductive and costly, while giving too much discretion to agencies could result in their avoiding the disclosure of potentially harmful breaches.

Care is also needed to ensure that notices are useful and easy to understand, so that they are effective in alerting recipients to actions they may want to take to minimize the risk of identity theft.

Among other things, it is important to provide context in the notice --explaining to recipients why they are receiving a notice and what to do about it. It is also important the notices be coordinated with law enforcement to avoid impeding ongoing investigations. Given that individuals may be adversely impacted by a compromise of their personal information, it is critical that they fully understand the nature of the threat and the options they have to address it.    

Jim Kouri
Chief of Police Magazine (Contributing Editor)

Biography - Jim Kouri

Jim Kouri, CPP is currently fifth vice-president of the National Association of Chiefs of Police. He's former chief at a New York City housing project in Washington Heights nicknamed "Crack City" by reporters covering the drug war in the 1980s. In addition, he served as director of public safety at a New Jersey university and director of security for a number of organizations. He's also served on the National Drug Task Force and trained police and security officers throughout the country. He writes for many police and crime magazines including Chief of Police, Police Times, The Narc Officer, Campus Law Enforcement Journal, and others. He's appeared as on-air commentator for over 100 TV and radio news and talk shows including Oprah, McLaughlin Report, CNN Headline News, MTV, Fox News, etc. His book Assume The Position is available at Amazon.Com, Booksamillion.com, and can be ordered at local bookstores. Kouri holds a bachelor of science in criminal justice and master of arts in public administration and he's a board certified protection professional.