There’s no excuse for careless handling of sensitive personal information

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130521/OPINION/130529888/1074

Is there something in the air here, or have leaders in Western New
York never heard of identity theft? The carelessness with which
records containing personal information are being strewn about the
landscape – literal and digital – is as astonishing as it is
disturbing.

Last week, it was Dent Neurologic Institute acknowledging that it
emailed out private information on more than 10,000 patients.

Thankfully, that mistake did not reveal sensitive medical files,
Social Security numbers or other highly sensitive information. No such
luck with the Erie County Department of Social Services.

An audit by County Comptroller Stefan I. Mychajliw revealed that
department employees have carelessly disposed of old records,
potentially threatening the privacy of hundreds of the department’s
clients. Among the documents were copies of birth certificates,
personal medical records, Social Security numbers, bank accounts, tax
returns, inmate records, payroll information, court records and
passports. Could the information be any more sensitive?

The problem is that some workers had been discarding these documents
in the totes meant for recycling instead of securing them in the
locked totes meant for documents that will be shredded.

County officials say they have fixed the problem and questioned
Mychajliw’s motives for making the matter public, which only goes to
show that it is possible to do the right thing and still miss the
point. No doubt the comptroller has an affinity for publicity, but he
is the public’s watchdog. It is his job to report to the public, which
directly elects him. He would be criticized, and rightly, if he didn’t
report the findings.

Furthermore, county officials pointing back at Mychajliw are running a
diversion. The point isn’t the comptroller’s motives for publicizing
his findings, it’s the findings. At this point, well into the 21st
century, there can be no excuse for dealing carelessly with private
information, especially by medical offices and government agencies
that deal with the most sensitive information imaginable.

We should have this procedure down by now, but clearly there is still
a learning curve. It would be wise for all medical officials and all
arms of government agencies – from village halls to Albany and
Washington – to review how they handle personal information, from
collection to storage to disposal.

Indeed, Erie County Executive Mark C. Poloncarz should start from the
premise that all areas of government are procedurally compromised in
this regard, and proceed from there. It would be unlikely that only
one county department has been lax with this kind of data. Similarly,
Buffalo Mayor Byron W. Brown and other municipal leaders should assume
they have problems and move to evaluate their systems and institute
corrections where needed.

It will be a lucky thing if, between these lapses, no one suffers from
disclosure of his or her sensitive personal information. If anyone
does going forward, it should be considered a crime.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.