How safe is your information with government? USA- VA-Veterans- UK- HRMC

How safe is your information?

Summary:
Your personal information is not safe since millions of of records floating around and being exchanged by government authorities with little vested interest in keeping them secure. Most people would be shocked at the lack of care that is taken to protect their privacy despite legislation and mounds of policies & procedures. Many breaches are a result of a "lack of good common sense". Others are well orchestrated by thieves that understand the weakness of the system and the value of personally identifiable information.

Data safety

Advice:
One of the major problems is the Public's perception that the Government is the trusted storehouse of our historical records. We seem to think we can demand access to these records at anytime to satisfy our own needs. The list is long: school transcripts, immunization records, municipal property records, medical records from numerous sources, etc.
All the while, masses of useless information is being retained in the unlikely event someone may request it. The more data retained combined with more people having access to it, the likelihood of a breach increases exponentially. We suggest that you do not share your personal information with any government organization unless absolutely necessary to receive services or to identify yourself.
We hear the same old stories about missing data over and over again. "There were adequate safeguards in place but the budget was approved late this year.". Or "Who would have thought Joe would have taken those records home to work on?"
Until independent Privacy Commissioners can lay real criminal charges against thieves and companies with adequate enforcement personnel, our information is might as well be "blowing in the wind. Another tool that is missing is the same charges plus employment termination for top level bureaucrats and department heads charged with responsibility of keeping our records safe.
The following are just examples of incidents in a rapidly growing list: (most go unreported)

In Britain, the Privacy wachdog government agency, claims the widing use and grow of huge Public databases is increasing the risk of Public private information being loss or stolen.(Oct. 29, 2008) Additional data breaches number over 277 since British citizens became faced with the largest data breach of personnel identifiable information (Nov. 20, 2007) with 25 million missing records of recipients of child benefit information. It would appear as if the records were sent though did not arrive at their destination. The fact that this type of information could be requested or transferred in such volume in the first place- puts the whole system under suspicion.
With the resignation of UK HMRC chairman Paul Gray, it appears a junior employee used the department’s internal mail system to send two password-protected discs that contained a full, unencrypted copy of the department's data. The data related to the payment of child benefit to the National Audit Office. The discs never arrived and included bank account details. parents’ and children’s names, addresses, dates of birth, child benefit and national insurance numbers involving twenty- five million records including details on over seven million families.
Despite having procedures in place, the directives were ignored on two recent occasions, which brings into question whether it was a direct violation of Data Protection Act by all personnel involved. This brings in to question "why personnel working in positions of Public Trust are not being held responsible and punished to the full extent of the law?" On the other hand, workers’ unions are blaming the breach on the “enormous pressure being placed on HMRC by government-imposed job cuts.”
When are these people going to get a grip on reality? All Civil Servants take an oath to service the Public's best interests. Why was so much data was requested in the first place in such detail and for what purposes needs to be investigated thoroughly. "When are organizations going to realize that personal information is the new form of gold bullion in today's information age?"
In another example, records of millions of America military personal (Veterans) information & thousands of US Department of Agriculture (USDA) personnel records were compromised through sloppy policy and procedures.This incident goes to prove that a lot more needs to be done in evaluating and implementing stricter controls on who & how confidential information is handled. We disagree that most incidents are caused solely by a lack of skills training at the Staff level.
In the USDA's incident, current and former Staff records, SIN numbers and photos were hacked in early June 2006. In many of these case, the people responsible for the data are uncertain what data was compromised, so these systems are shut down as a preventive measure. Add the expense of off-line systems & the inconvenience factor of going back to a manual system (especially payroll), you can start to appreciate the real cost of a breach.
Somewhere along the line, the practice of taking personal information away from the Veteran Affairs Office for work purposes became commonplace. In this case, the thieves may or may not had an appreciation for what they took. Usually, it is very well planned and executed. Approval was granted for this information to be accessed and potentially downloaded or captured from a remote computer(s), which only invites misuse. To illustrate how expensive it is to try to rectify this situation, the Senate Appropriations Committee has allocated $160 million for credit monitoring services at the VA, alone. The long term damage is the "breach of trust" that occurred.
We have several basic methods and review procedures that help to avoid the expensive and painful experience of a breach. The trust you have worked so hard to build can be lost in seconds when due diligence is not exercised.
In the recent British breach, it seems to be more a case of poor procedure. At best, the records should have prepared in advance (heavily encrypted) and sent through protected government transport. In addition, several steps should have been taken to make sure that type of information could be requested and transported in the first place- let alone in its entirety. Unfortunately- the damage to the integrity of the system as already occurred.
We have not met anyone that is not sincere about protecting the information they work with. Most times, it is just plain sloppy policy and procedures. There is a lack of understanding of just how much damage a single computer or disk can cause. Large manual filing systems have many check and balances that prevent a massive amount of records from being compromised. Computers make records easy to access unless the same basic concepts are applied.

News Items

February 10, 2010 - New Zealand- Accident Compensation Corp.
ACC has apologized after private information, numbering in the thousands, was sent out to the wrong businesses. Each month businesses are sent a report on injuries which have occurred in their workplace and ACC says the external mail house which sends out the reports had a problem in January. The mailout resulted in about 2000 businesses receiving information intended for other organizations. General manager Keith McLea says a full investigation has been requested into the breach of privacy. He says they are very disappointed privacy may have been breached and apologize unreservedly to those affected. And he says the mailing company it uses has apologized for the mistake. McLea says they are doing everything possible to ensure it does not happen again. In two months ACC will switch to digitally sending out the information. 1

Wednesday, 21 November 2007- Child Benefit benefits info missing Dublin, Ireland
"An immediate review of data protection systems in the Northern Ireland Civil Service has been ordered by Finance Minister Peter Robinson.
The move came in the wake of the admission by Chancellor Alistair Darling that details of all UK families in receipt of child benefit allowances had been lost by HM Revenue & Customs.
Information lost on two computer discs involves child benefit data including the names, ages, bank account details and address of some 7.25 million families, several hundred thousand in Northern Ireland.
The discs went missing after being sent by courier by the UK Revenue authorities in Newcastle to the National Audit Office in London.
Mr Robinson said the protection of personal information relating to Northern Ireland citizens had been the focus of a review operation in the summer.
The new four-week review would assess the effectiveness of measures already in place, he said. Mr Robinson said the need for vigilance within the Civil Service locally was reinforced in August through internal guidance issued to all departments regarding the potential for the possible compromise of personal information.
Mr Robinson has urged all Northern Ireland recipients of child benefit payments to be vigilant and to monitor their bank statements in case criminals have tried to hack into their accounts.
The Information Commissioner's Office in Northern Ireland was inundated with calls about the security breach.
Extra staff had to be moved to answer calls to its advice line after it received two days worth of calls in two hours from worried callers.
Ireland's Data Protection Commissioner, Billy Hawkes, has said the loss of two discs in the UK is a wake up call for the Irish authorities.

Speaking on RTÉ Radio's News At One programme, Mr Hawkes said he had serious doubts about the quality of data security in some of the agencies that hold data in Ireland.
Brown apologizes for loss of data. The British Prime Minister, Gordon Brown, has said he 'profoundly regrets' the loss of the records. Speaking in the House of Commons, Mr Brown said he apologized for the 'inconvenience and worries' caused and said the British government was working to prevent the data being used for fraud.
The leader of the Conservative Party, David Cameron, said the government had 'failed in its first duty to protect the public'.
Speaking on BBC News 24 this morning, The British Chancellor, Mr Darling, said a junior official should never have been in a position to post the sensitive information. However Mr Darling added that there was currently no evidence to suggest it had fallen into the wrong hands.
Asked if he had considered resigning over the affair, Mr Darling said it was his job to deal with the situation, and he pledged to do so." 1
It has been far too quiet since this item: Department of Justice-
On 21 November 2007- The Prime Minister asked Keiran Poynter, the chair of PricewaterhouseCoopers, to lead a review on what led to the loss of confidential personal information, including national insurance numbers and bank account details, of Child Benefit recipients and the lessons to be learnt from the incident. An Interim Report was published in December 2007 which set out the work Kieran Poynter has already put in hand. It makes recommendations as to the immediate steps that Revenue and Customs must take to protect data security. It has already put in place a number of measures.

May 23, 2006- Veterans Records Stolen From VA Official's Home, By Tim Starks, CQ Staff

"Department of Veterans Affairs Secretary Jim Nicholson said Monday that the names, dates of birth and some disability rating information of up to 26.5 million veterans have been stolen from the home of a VA official.
The official, whom Nicholson would not name, has been placed on administrative leave for possessing the information, but Nicholson said there is no evidence it was being misused - the employee was working on a VA project on a computer from home.
"There is no indication at any time that any use is being made of this data, or even that they know they have it," Nicholson said of the burglar.
Despite those assurances, members of Congress are likely to have plenty of questions for the VA.

"Of course, the 26.5 million is an alarming number. If that personal data gets in the wrong hands - that's the No. 1 concern of a lot of our members," said a Democratic aide to the House Veterans' Affairs Committee. "We want to find out what happened, how it happened and how we can prevent it from occurring again."
The Federal Bureau of Investigation, local law enforcement officials and the VA inspector general are all investigating the incident.
Nicholson said the VA had established a call center for veterans who have further questions. The number is 1-800-333-4636.
Nicholson said the incident also would be discussed at an afternoon meeting of of the President's Identity Theft Task Force. Additionally, Nicholson said the VA would accelerate the timetable for all pertinent employees to take cybersecurity training courses."3

1.- Retrieved Feb. 10, 2010 from http://tvnz.co.nz/national-news/acc-sorry-privacy-breach-3356228 ONE News/Newstalk ZB.

2.- Retrieved Nov. 21, 2007 from http://www.rte.ie/news/2007/1121/britain.html © RTÉ 2007- RTÉ Commercial Enterprises Limited, Registered in Dublin,Ireland.

Governor Rell Offers Tips to Veterans to Prevent Identity Theft - May 23, 2006

Governor M. Jodi Rell today ordered several actions to assist Connecticut’s 280,000 veterans in monitoring their privacy and credit information in response to the recently disclosed theft of personal data from the U.S. Veterans Administration and to ensure any similar state data remains secured.- May 24, 2006

Connecticut Veterans looking for the latest information from the federal government about the loss of data may contact 1-800-FED-INFO (333-4636) or visit www.firstgov.gov.

The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. Be sure to correctly spell annualcreditreport.com, or link to it from the FTC's website to avoid being misdirected to other websites that offer supposedly free reports, but only with the purchase of other products. While consumers may be offered additional products or services while on the authorized website, they are not required to make a purchase to receive their free annual credit reports.
In Canada, there are similar requirements for credit bureaus to provide an free annual credit report with the ability for the consumer request corrections. Please note that the bureau is under no obligation to take your word over their Members. You guessed it- banks- government- credit card & insurance companies,etc.