More than 50 million personal identities were reported exposed or compromised in the last six months, mostly from theft, system breaches, and loss during transport. Most of the exposure has been at businesses and universities. But that doesn't mean that government entities haven't had similar incidents and aren't also vulnerable.
Government agencies have reported only a smattering of security breaches involving personal data perhaps because, until recently, few laws existed compelling them to go public. But problems are lurking. The Internal Revenue Service, with one of the most extensive collections of personal data, in June ordered a security review of a five-year, $20 million contract it has with ChoicePoint Inc., the data aggregator that allowed criminals to access data on 145,000 people. Earlier this year, in April, the Government Accountability Office found the IRS had 39 new information-security weaknesses, in addition to 21 previously identified and uncorrected problems. The Department of Homeland Security came under fire in July when the GAO said its systems don't meet federal information-security standards.
The problems aren't limited to federal agencies. In March, thieves broke into the Department of Motor Vehicles office in Donovan, Nev., and stole the system used to create drivers' licenses and IDs. They took a camera, printer, and hard drive containing personal information on 8,738 people, including signatures and Social Security numbers, as well as supplies to make licenses. In April, Georgia's Department of Motor Vehicles had an employee steal personal data on "hundreds of thousands" of people, according to the Privacy Rights Clearinghouse, a nonprofit consumer-advocacy group that has maintained a list of security lapses since the ChoicePoint incident was revealed in February.
A system that tracks child-support cases will have data protection built in at a "very granular level," California CIO Kelso says.
While the public sector hasn't had a major headline-grabbing attack, that's no guarantee of the future security of constituent and employee personal data. "All we need is one major breach to cause citizens to wonder about the rest of the data the government has," says Lester Nakamura, administrator of Hawaii's Information and Communication Services Division and chairman of the National Association of State CIOs' privacy committee.
"We're all subjected to the same basic set of risks," says J. Clark Kelso, CIO of California. "When I read about the recent attacks, I don't put too much stock in the fact that [the state government] hasn't had a serious breach in three years. Eventually, our number will come up."