Monday, June 25, 2007

Ohio’s state government places a value on personal information

The latest in the string of embarrassing data breaches involves the state of Ohio whose officials allowed a storage device to be stolen from a car.

This story keeps getting worse as at first it was thought that only 64,000 state employees personal information was on the device, but now they are realizing that a few hundred thousand Ohioan’s information was also on the device. Depending on the source the number varies from 200k to 500k. No matter what it ends up being it is a PR nightmare for the state government and elected officials.

At to add more embarrassment to the situation the person who had it stolen was an intern.
To me an intern is a student or a recently graduated individual who is now working for the state government as an apprentice to learn the ropes, the rules, gain exposure, acquire experience, and even earn college credits. In other words, a rookie.

So with all of the people that work in the state government, an intern is chosen to carry the storage device as a security measure to have copies of data in case something terrible happens. It just didn’t cross anyone’s mind that they were not paying attention to the security of the data at both ends. And something did happen, just not at the end they were expecting.

So with all of the concern about protecting this information they hand it over to an intern who leaves it in a car (by some accounts unlocked) and it disappears. Did the intern even know what they were taking home? Did anyone bother to tell the intern? What was the value of that information on the device if it could be handed over for safekeeping to an intern? The state must have felt it was very little since they gave it to the lowest person on the ladder. But now the value is starting to mount as the state is already spending hundreds of thousands on services to protect individuals and that is just the start.

If whoever took that device does crack into it successfully and spreads the wealth of information all over the internet, you can be assured that institutions that will start to bear the brunt of costs associated with this will surely look to the state for restitution.

Ohio is now falling into the same path as millions of Americans who do not bother to take pro-active steps, but then spend millions on reactions once a breach occurs.