Securing data can be hard work. It can be complicated. It can be expensive. And then sometimes you see people putting so little effort into it that there’s just no excuse.
An example of this was sent to me by a reader. In anticipation of new gun control laws scheduled to take effect October 1, tens of thousands of citizens of Maryland applied for gun permits, which requires a background check.
The Maryland State Police, charged with performing the background checks, don’t have the resources to do it soon enough, and, according to the Baltimore Sun, “Gov. Martin O’Malley said … that the state is mustering all necessary resources” to complete the task in time.
“Mustering all necessary resources” in this case means “cutting corners.”
First the state scanned the forms. Then, in order to expand access to the data necessary to perform the background checks to over 200 data entry personnel in non-law enforcement agencies, the state set up a publicly-accessible web site with a single shared username and password.
The data entered in the site included driver’s license numbers, social security numbers, addresses and other personally identifying information.
There’s an old phrase: “garbage in, garbage out”. I’m wondering if “Personally Identifiable Information” (PIA) should replace “garbage” going forward.
What irks me about these situations is that the same government that puts the protection measures into place often isn’t held to the same protections. These days it seems like governments and their contractors are the ones most likely to end up on the front page with an easily preventable information disclosure.
Perhaps this is yet another example of the public sector in need of disinfecting daylight.