"My favorite example of all time: You walk in and the clerk is asking you to fill out a form. You look at it and say, 'Why do you need my Social Security number?' and he says, 'Well, because it's on the form,'" Foley said. "If that's the only understanding your people have of what's on the form and why it's there, how can I walk away from your office thinking I'm safe and that you'll protect my information?"
The ITRC offers training and consulting on breach mitigation to organizations. Linda Foley, co-founder of the center with her husband Jay, said she asks a set of typical questions to clients whose employees carry data on mobile equipment.
She said governments should get creative in protecting Social Security numbers that are stored in the office or can be accessed on the move. As an example, she cited anonymous studies in which participants are identified by randomly generated numbers.
At the ITRC, even she doesn't have permission to see all types of information, and she's an executive there. "I don't have permission to see certain files, because I don't have a need to know. Checks and balances -- I don't need anyone's Social Security number for any purpose whatsoever; therefore, I should not ever see them."
Photo: Kevin Mitnick, founder, Mitnick Security Consulting
Kevin Mitnick, founder of Mitnick Security Consulting, said it all comes down to employee awareness and diligence. Sophisticated software may be what people think of when they want to secure against external breaches, but human error on the inside is a different kind of threat.
"Technology, I don't think, can prevent some employee from faxing off something that's inappropriate," Mitnick said. "Technology could be used to encrypt information, but training people is not a technology problem. It's a people problem."
Nightmare in the Breach
In 2007, the Lynchburg, Va., government found out firsthand why it's important to assess information-management procedures. The (Lynchburg) News & Advance reported in June 2007 that the personal information of more than 1,000 municipal employees and retirees -- including birth dates and Social Security numbers -- was included in an Excel spreadsheet attached to an RFP posted to the procurement section of the city's Web site.
The reason? Lynchburg wanted solicitations from third parties to provide pharmacy services, so it placed the RFP on its procurement page. One vendor asked the city for an extract of medical codes, which helped the vendor determine the city's usage of prescriptions. Lynchburg saw no problem providing this information but decided that if one vendor could see it, all of them should have access.
The information was put in a spreadsheet and attached to the online RFP. The problem was that the spreadsheet also had the names of employees and retirees who filled prescriptions during that year under the city's previous pharmacy coverage, along with other personal information.
According to Lynchburg Human Resources Director Margaret Schmitt, no city employees thoroughly examined the spreadsheet to omit the extraneous data, so when the affected employees and retirees Googled themselves, their personal information was included in the search results. Bad news for Lynchburg.
"When Google looked at our site, it also went into attachments. It's something we found out after the fact -- that Google, when