On March 22, we learned through The New York Times that:
The Federal Emergency Management Agency unnecessarily shared sensitive personal data of more than two million disaster victims with a contractor, subjecting that information to potential identity theft and fraud….1
This is troubling to me on a number of levels.
The Right to Secure PII and PHI
As a U.S. citizen, I am troubled that one of my government agencies did not do what was necessary to protect the personal data of my fellow citizens. Data privacy is a right and, though this may seem old fashioned, I expect my government agencies to defend my rights, not to disregard them.
Desensitization to the Problem
As a data security professional, I am troubled, because each additional breach or, in this case, instance of oversharing, desensitizes us to the importance of protecting our personally identifiable information (PII) and our personal health information (PHI). But those who have suffered the pain and frustration of having their identity stolen and gone through the months and even years of work it takes to clean up the mess will tell you protecting PII is critically important to financial safety and wellbeing.
Not Employing Best Practices for Protecting Data
As a data security professional, I am more than troubled. I’m appalled.
Despite years of data security attacks, stacks of federal regulations, and a clear understanding among data security professionals regarding what best practices for data security are, a government agency unnecessarily shared sensitive data of more than two million people. You could dismiss this as someone, somewhere, making a simple mistake. But when the data security of real people is involved, systems should be in place to keep simple mistakes from occurring.
Let me briefly outline standard best practices for protecting sensitive data. Any time you deal with PII or PHI, you should encrypt that data. It should never sit in clear text. This ensures that the data itself is meaningless to anyone who views it, unless they have the keys necessary to decrypt it. If it gets stolen (or shared) and the people receiving the data do not have the keys, no harm is done.
The next step is to control access to the decrypted data (or more precisely to the system that employs the keys to decrypt the data and display it as clear text). Here the principle of least privilege (POLP) is critical.
POLP is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write or execute only the files or resources they need to do their jobs: In other words, the least amount of privilege necessary.
Additionally, the principle of least privilege can be applied to restricting access rights for applications, systems, processes and devices to only those permissions required to perform authorized activities.2
For example, our Vormetric Data Security Manager (DSM), that orchestrates the Vormetric Data Security Platform, including transparent encryption and tokenization, allows administrators to specify granular data access policies as well as administer DSM users and logical domains.
So, at the very least, the data should have been encrypted, and access to the unencrypted data should have been restricted to only those who needed to see it in order to do their jobs.
Then, if the data were shared, it would most likely have been encrypted or tokenized, and no PII would be exposed.
This is what we in the data security industry call good cyber hygiene. And, unfortunately, the general public and people dealing with data in their jobs are not as well acquainted with cyber hygiene as they likely are with, perhaps, dental hygiene. But if they have a bank account and assets to protect, they should be.
What Comes Next?
It may sound as though I’m pointing my finger at FEMA, but this incident points out a pervasive problem across our federal agencies. They are short of staff and money to deal with cybersecurity. And, while CEOs and heads of IT in publicly held companies lose their jobs because sales and share prices fall as a result of data breaches, this doesn’t seem to be the case in federal agencies. Perhaps we need more real accountability attached to data security in the federal government.