Monday, January 5, 2009

New Proposals in Iowa

From Today's Iowa Register

"Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.Advocates say the proposals would protect citizens from identity theft.But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name."The public has more to fear from government records containing information about them of which they are unaware than the release of information pertaining to them," said Bill Monroe, executive director of the Iowa Newspaper Association.

Lawmakers formed the Identity Theft Prevention Study Committee, which met in November, to consider how the release of personal information in Iowa could make residents vulnerable to identity theft. Public concern heightened this year when privacy advocates complained about a land records site, IowaLandRecords.org. The Social Security numbers of thousands of Iowans from all 99 counties were listed on the site, including those of Gov. Chet Culver and Secretary of State Michael Mauro.
Administrators of the site quickly shut down the ability to view details of the records after the advocates pointed out the problem. The group says removing personal information from all the records - called redaction - will cost the state as much as $2.3 million, which includes $500,000 to update its computer programs. Culver said in an interview this week that he agrees steps should be taken to redact personal information from public records that can be used to steal Iowans' identities.
However, he said he was not sure how the state would pay for such efforts. County recorders, for example, have proposed increasing an electronic filing fee from $1 to $3 to pay for the redaction effort.


"I think protecting individuals' identity is important," Culver said. "Once it gets to the level of security risk, we should take steps to limit how far we go in terms of disclosing things like Social Security numbers."
The committee made 11 recommendations, several of which would give governments more power to remove Social Security or bank account numbers.
Sen. Steve Kettering, R-Lake View, a member of the study committee, said there is no simple answer to the problem. Lawmakers must find the appropriate balance between protecting identities and maintaining public records that protect the public through transparent government.

"There isn't an easy solution, and that's the hard part," said Kettering, who noted that detailed records are critical in his profession as president of Farmers State Bank in Lake View.
Open-records advocates generally agree that some sensitive information like credit card numbers should not be released. The problem arises if governments redact information such as dates of birth, addresses or other unique identifiers, said Kathleen Richardson of the Iowa Freedom of Information Council. Richardson said lawmakers need to establish how frequently identity theft occurs through public records. She believes the problem is rare.

"I think there needs to be a demonstrated need of why we need to vacuum public records," Richardson said. "We also have to carefully consider what our definition of personal information is and make sure it's not so broad that it wipes out too much information."
Sen. Steve Warnstadt, D-Sioux City, said the committee has tried to be sensitive to the concerns brought forward by open records advocates when making its recommendations. The recommendations will likely be used to help draft proposals during the 2009 legislative session, which begins Jan. 12.

"The point of this is not to restrict access. The point is to prevent identity theft and personal information from being disclosed from people who don't have a legitimate reason to have that information," said Warnstadt, the committee co-chairman."

Iowa is tackling this issue head on and should be a model for other states to follow. Notice how Kathleen Richardson is addressing the central question by saying that the committee needs to assess the definition of personal information. Once a written policy including that crucial component has been established it becomes relatively easy to put a real plan into motion.

I would also counsel so-called "open records" advocates that while the concept of easy access is attractive, it has one fatal flaw. Data has value. The proponents are not the ones who determine what is valuable data and what is not. That is in the hands of the information black market. As I have said time and again. "As long as the data has value it will be stolen , sold, and used by thieves." As to public record theft incidents there were in excess of 15 million combined records lost or stolen from counties, cities, states, state universities, and school districts across the U.S. in 2008 alone. Those are public records databases. In my links area is a link to dataloss, http://datalossdb.org/ . You can see there how much is lost and stolen on a regular basis. But how much is acceptable? According to FTC and other sources there have been between 8 and 10 million domestic identity theft victims in each of the past three years. Due in part to the sale and resale of stolen information it can be difficult and even impossible to trace identity theft victims to a single incident, which skews statistics. This is particularly true with mass database theft such as with public records.

If the figure of $2.3M to update software and to redact records is correct the investment the state will have made will offset the upfront hard costs of a data breach, the liability of a large or even moderate breach, and any subsequent lawsuits resulting from identity theft. Good Risk Managers will tell you that the potential loss is far greater than the investment in a reasonable program.

Identity theft is on the rise at an alarming rate. As our economy unravels and becomes more fragile every day data sales becomes a very attractive activity with very low risk. As the businesses and local governments cut back on security budgets a lot more opportunities occur to steal information, and a lot more people are desperate to cash in on the market in personal information.

No comments: