Commentary

Whoís got the worst record on data security?

Government agencies and universities have accounted for the overwhelming majority of breaches in data security, according to Privacy Rights Clearinghouse, an organization that has been tracking data breaches since California made reporting of them mandatory in 2002. State and federal governments have accounted for 60 percent of the reported breaches. The retailing industry, which is often demonized in the media as apathetic to consumer privacy, accounted for only 3 percent. Banks and financial institutions accounted for 9 percent. Elizabeth Oesterle, senior director, government relations counsel for the National Retail Foundation broke down the breaches at last week’s National Conference of State Legislators’ Spring Forum. Governments, especially, she said, rely too heavily on social security numbers as identifiers. No sooner did I absorb this when, upon arriving home from the conference, I found a letter from a state (which shall remain nameless) department of revenue inquiring about a tax return on a trust fund I manage. Not only did the letter contain the name, address and corresponding bank account number, but the “case number” was the social security number associated with the name on the bank account. Somewhere, on some PC, server, disk, tape or hard drive, this data resides alongside that of millions of other individuals. It’s a serious breach waiting to happen. While thefts are invariable, one way states can protect their citizens’ identity and privacy is to stop using social security numbers as identifiers for other business. Ironically, some states now require this of private business. For example, Texas (not the state involved in this example) prohibits health insurers from using all or part of a policyholder’s SSN as an account number.