@Info.Policy: Is your sensitive data secure enough?
- By Robert Gellman
- Aug 20, 2004
How many different categories of sensitive government information can you name?
Let's begin with information classified by executive order for national defense or foreign policy purposes. Information about atomic weapons is a different kettle of fish, restricted by statute.
Another statute defines unclassified, controlled nuclear information. UCNI is a prime example of information that can be withheld from the public without a corresponding obligation to protect it like classified information.
The Freedom of Information Act sets general rules for public disclosure, but not all data exempt from public disclosure is or should be considered sensitive. The 1974 Privacy Act limits the disclosure of personal data in government files.
Privacy Act information, in turn, overlaps sensitive information as defined by yet another statute to include both personal data and information about computer systems.
Sensitive information is not the same, however, as sensitive security information, which relates to transportation.
Then we have critical infrastructure information, or CII. This category encompasses some data submitted by industry to the Homeland Security Department, and it is another type of unclassified but nonpublic data with its own characteristics.
CII, however, is not the same as CEII, or critical energy infrastructure information, defined by the Federal Energy Regulatory Commission. CEII is unclassified, but FERC will give it only to people with a 'need to know' who sign a nondisclosure agreement.
Although we haven't even gotten to SBU (sensitive but unclassified) information, the point should already be clear. Current policies make little sense.
It's OK to protect some data, but we have so many different categories that it is a major challenge to keep track of the categories, let alone the actual policies. Heaven help any agency whose data falls into more than one category.
Most recent growth in data categories has been in data without either significant security obligations or disclosure requirements. This is the best of all possible worlds for avoiding public oversight. It's probably fine for spies and terrorists, too.
We don't seem to do a good job of protecting classified data, which is subject to strict security, so it can't be so hard to obtain sensitive data with lesser protections.
The government's approach to sensitive data is nutty and getting nuttier. More categories of sensitive information do not equal more security. The most likely result will be less accountability and more disrespect for rules. To paraphrase Supreme Court Justice Potter Stewart's famous line, when all information is sensitive, then nothing is sensitive.
We need more standardization here. Every agency or type of data doesn't need its own category. There should be no more than three standard categories of sensitive information, including national security information.
We could reform, but only if we modify a zillion laws and policies all at the same time. Don't hold your breath. File this idea in the good but impossible category. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at email@example.com.