Okay, here’s another example of a ridiculously dumb privacy breach that occurred, in Iowa this time, through a government agency posting information on the Internet…

“Breaking news: Land records removed from Web”
As a brief summary, the Iowa land records site, IowaLandRecords.org, had posted a ton of personally identifiable information (PII), including the Social Security numbers (SSNs) for Governor Chet Culver and Secretary of State Michael Mauro.
The county recorders from each of Iowa’s 99 counties are responsible for posting mortgage and commercial land record documents to the site.

“Culver’s and Mauro’s Social Security numbers were redacted soon after the online story was posted but thousands of other records remained on the site until early this afternoon. Culver, on Tuesday, requested that all the records with personal information that can be used in identity theft be immediately removed.”

Three cheers for Governor Culver! To only remove the PII of elected officials and leave everyone else’s on the Internet would have been gross negligence.

“The records association proposed state officials allocate money for a comprehensive redaction project to remove Social Security numbers from the records. They said the money could be attained through temporary recording fees. That cost could be “in the seven figures” but exact estimates were not available, a spokesman for the group said.
Or, the group suggested increased security on the Web site by requiring registered users provide more information so it is known who is accessing the records.”

The first idea is a good idea.
The second idea is a horrible idea. There is no reason to give SSNs and other PII to individuals who have no business responsibility for that PII. Simply knowing who accesses PII is not a safeguard! Certainly access should be logged, but logging access to PII is appropriate for individuals who have authorized access to the PII because of business responsibilities, and to identify unauthorized access.
Knowing the potentially thousands of people who are accessing PII will not keep them from doing bad things with that PII.

Tags: awareness and training, Chet Culver, cybercrime, Des Moines Register, Information Security, Iowa, IowaLandRecords.org, IT compliance, IT training, Michael Mauro, PII, policies and procedures, privacy training, risk management, security training, social security numbers, SSNs

This entry was posted on Wednesday, September 3rd, 2008 at 9:05 pm and is filed under government, Privacy and Compliance, Privacy Incidents. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.