Last week, and in various other columns I’ve written for you through the years, I focused on how private enterprises’ handling of our precious, private data can cause real problems for us. After 50 years of the internet’s evolution, which has changed how business is conducted in the most fundamental way, the bitterness of computer crime balances the sweetness of profits built on the web’s efficiencies.
It makes sense to learn and share about your vulnerability in the commercial space. Nearly everything you do implicates this information security domain. You wake up and check your email, then click into an online news feed, and before your first cup of Joe you certainly want to see what’s going on in social media. If that doesn’t sound like your daybreak routine, don’t be naïve thinking that you’re low-tech so you’re immune. No email? Your regular mail, the USPS, also handles and maintains personal, medical, and financial information. Get your news at WKYT or LEX18 rather than Google? Well, whomever provides your television feed holds, and therefore may lose, your personal data. Like it or not, you are part of the network of data custodians.
It’s also sensible to understand these modern day risks of doing business because the companies are big targets for hackers. Looking at only four of the 50,000+ reported breaches in industry (many business try to save face by keeping their breaches secret), the four being Uber, Anthem, Yahoo!, and Experian, in 2018 and early 2019 there were well over a half-billion records compromised and over $370 million in lost revenues due to cyberattacks. Those are four big examples, but only a scant accounting of the breadth of the problem. Yet, getting schooled about commercial information security threats such as these only covers part of the landscape. Where else might your private data be held? The government.
In some respects, the government’s maintenance and control (or not) far surpasses what Facebook, Walmart, and Google holds. Consider filing your taxes. Or, visiting a Veteran Affairs healthcare facility. Or, getting a speeding ticket. In fact, on this last example of court records I have my students conduct an eye-opening exercise. Some students are in the Tri-County but due to the online environment of my teaching I see the problems arise all over. I send them to their local courthouse where open records laws, generally, allow the public to review court case records. They’re not going to the courthouse to learn legal principles but rather to see how much private information is widely available to the public. Without fail every time I do this I get reports back about social security numbers, dates of birth, a plethora of banking information, and you-name-it else. In some cases, those private nuggets are supposed to be redacted from the record but aren’t perhaps because the case is so old that no one went back to hide the information, or it just slips through the cracks, or some jurisdictions simply don’t have such laws protecting us.
Governments differ from industry in two important and related ways, and they don’t appear to be helping the issue. First, unlike companies, when a government agency gets hacked and your information gets into the hands of cyber criminals you can’t sue it and it doesn’t fine itself. That is, the government’s financial exposure isn’t the same risk that a company’s is when these crimes occur. Also, in one very real sense the government is a monopoly. Business leaders know that one of the greatest expenses after a security incident is the damage to the firm’s reputation. Thus, the too often secretive response as mentioned above. If Target’s security is lax and it costs you time and effort when they let loose of your credit card information, you can shop elsewhere. If a court’s clerk overlooks one line of print in a foot-high stack of case documents thereby exposing your private data, you can’t then find somewhere else to file for divorce. The vastness of government held data coupled to these factors where risk is much less (other than at the ballot box, perhaps) than companies face makes for a dangerous combo. What to do?! (psst … lawmakers, that rhetorical question is to you).
For now, I’ll take a pass at getting into federal laws meant to help protect you from the government’s data practices. Instead, let’s get into the more localized protections, in particular Kentucky’s Personal Information Security and Breach Investigation Procedures and Practices Act (exhale!). Even using the initialism PISBIPPA lumbers across one’s lips. I’ll just go with “the Act.”
The Act became effective in 2015 and, from the mile-high view, requires Kentucky agencies at both the state and local levels to secure our precious, private information, and then to notify us when (not “if”) such security measures fail and the bad guys nab our data. It’s meant to help in various ways. First, it defined what “personal information” is. According to the Act, personal information includes financial, personal, and other data. Second, it requires our agencies to implement, maintain, and update security procedures and protocols, the “update” requirement being oh-so-important. Third, if an agency gets hacked, it must escalate that incident and, potentially, let us know about what happened to our information. It’s critical to understand that these protections extend beyond the government’s offices. Think about the many businesses that help our agencies through contract services. They, too, must comply. It’s costly, and if I may say, helpful.
Now that you know that in Kentucky there are some protections in place in the arena, I put the control of your private medical, financial, and personal data back in your hands. Next time you work with a government office ask them how they’re protecting you. It’s your information, and in fact it’s your government.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.