William Jackson | New rules for personal data start a long process
- By William Jackson
- Jun 04, 2007
The Office of Management and Budget has handed down a set of requirements on 'safeguarding against and responding to the breach of personally identifiable information.' It requires, among other things, that agencies reduce the amount of personal information held and establish by September a policy for notifying persons whose information might have been compromised.
This is a welcome move, but do not expect any immediate dramatic changes in how our personal data is handled. A good part of the 22-page memorandum is devoted to reminding agencies of 'existing security requirements agencies already should be implementing' under current security and privacy laws. Other requirements, such as the culling of unnecessary Social Security numbers, probably will take a long time to accomplish.
Still, it is a start, and if there is adequate follow-through the new policies could result in meaningful improvements in the security of this sensitive data. The most heartening thing in the directive is the realization that 'a few simple and cost-effective steps may well deliver the greatest benefit.' These steps include:
- Reducing the volume of information collected on individuals to the minimum needed.
- Limiting access to that information to only those who need it.
- Using encryption, strong authentication and other security tools to protect the information.
The May 22 memorandum is an outgrowth of the Identity Theft Task Force, established by executive order in May 2006 to develop a strategic plan for combating this growing problem. The task force submitted its plan in April. One of its key recommendations for government was to 'decrease the unnecessary use of Social Security numbers,' which it identified as 'the most valuable commodity for an identity thief.'
That recommendation has been incorporated as part of broader requirements in the OMB directive. Specifically, agencies are required to review all current holdings of personally identifiable information and ensure that these are 'accurate, relevant, timely and complete, and to reduce them to the minimum necessary.' Plans and progress reports on this process will be included in the agency's reporting under the Federal Information Security Management Act.
Agencies also must review their use of Social Security numbers and within 120 days establish a plan to eliminate the unnecessary collection of the numbers over the next 18 months. They also will look for new unique identifiers that can be used to replace the Social Security number.
These are likely to be daunting tasks. As efforts at FISMA compliance have shown, any inventory of resources 'whether it is hardware, software or data ' is time-consuming. Once this formidable job is completed, it is likely to be just as difficult to identify and remove unneeded data. OMB warns agencies that there will be no new money appropriated for these jobs. Who is the lucky guy who gets to sift through gigabytes of data, looking for and deleting Social Security numbers? And how do we ensure that unneeded data is not only merely deleted, but is really most sincerely deleted? Information once gathered has a tendency to hang around, and getting rid of it can be as hard as retiring legacy hardware. It could take generations to see a real improvement in the situation, and old-timers like myself whose SSN has been used for decades as an identifier may not live to see our records completely scrubbed.
But this is not to say that the effort is not meaningful. This is work that should be done, and the sooner it is started the sooner we will see some results. The memorandum apparently is intended to have some teeth to it. The final section addresses new requirements for policies on 'rules and consequences.' Managers, supervisors and employees are to be held responsible for safeguarding personally identifiable information, and consequences are mandated for when they screw up, ranging from reprimand through suspension and removal.
Realization of the threat posed by unnecessary aggregation of data has come to us rather late in the game, but let's hope it is not too late to make some improvements.
William Jackson is a Maryland-based freelance writer.