Bowen's bill, SB 13, is an expansion of the Social Security-number handling restrictions imposed on businesses and government agencies by SB 168 of 2001 and SB 25 of 2003. It proposes the repeal of California laws that permit the release of sensitive data to public- and private-sector researchers.
The proposed law will still allow data to be shared with researchers, just not data that can be linked to individual identity, a Bowen spokeswoman says.
"Identity theft is still the country's fastest-growing white-collar crime, and it's maddening to see state agencies responsible for handling sensitive personal information still don't understand that a person's Social Security number is the one key criminals need to unlock someone's entire financial history," Bowen said in a statement announcing the legislation. "The state needs to take a hard look at its data-sharing laws to make sure Social Security numbers and other key data identity thieves thrive on aren't being handed out like holiday egg nog."
One of the state agencies she's referring to is the California Department of Social Services, which earlier this year authorized a Connecticut researcher affiliated with the University of California, Berkeley, to utilize the personal data of some 600,000 participants and providers, without their consent, for the state's In Home Support Services program. The researcher was studying how improved wages and benefits might affect the state's ability to hire and retain in-home, long-term-care providers. Bowen's bill comes after UC Berkeley officials disclosed that the system containing the program data had been accessed by an unknown hacker in August.
According to Carlos Ramos, assistant secretary of the California Health & Human Services agency, the FBI is continuing to investigate the UC Berkeley security breach, and it's still not known whether any data on the compromised system was accessed. One group that has been affected is California taxpayers, who are footing the roughly $700,000 bill for the mailings and call-center staffing needed to contact program participants about the possible privacy breach.
All state departments have been asked to examine their internal policies about data sharing, particularly with research institutions, to make sure that they have appropriate information-sharing policies in place, California CIO Clark Kelso says. "We shouldn't be sharing that information unless there's a compelling research need for it," he says.
A November report from the General Accounting Office found that Social Security numbers "are widely exposed to view in a variety of public records, particularly those held by state and local governments, and appear in some public record nearly everywhere in the nation. Specifically, agencies in 41 states and the District of Columbia reported that SSNs are accessible in at least some of the public records they hold, and a few reported this to be the case for as many as 10 or more different records."
Citing the potential for misuse, GAO recommended that the Office of Management and Budget identify federal activities that require the display of Social Security numbers and devise a consistent policy regarding them.
Kelso says that while he hasn't seen Bowen's legislation, he and his IT council will consider whether a new, unique identifying number could be used instead of a Social Security number when information needs to be shared. "Now there's a cost associated with that, nothing comes free," he explains. "But in light of the privacy issues and the cost to people if their Social Security number gets out and there's an identity theft, it may be that that's something we should do. So we will be conducting that type of review, and we look forward to seeing what Sen. Bowen's legislation actually proposes."
More broadly, the state IT plan aims to better secure its computer systems, Kelso says. "Part of our strategic plan for IT in the executive branch is a consolidation of some of our IT infrastructure," he explains. "A big reason to do that is to get control over our exposure to the Internet, so that we can do a more consistent job of securing those systems. We've begun with Homeland Security out here, an evaluation and simulation program that I think is going to help to do a better job of learning where our vulnerabilities are and how we can secure them."
The state's IT strategic plan calls for the identification of the most serious and common information security risks by June 2005, followed by a risk-management and funding plan by March 2006.
While such steps may improve the state's IT security, Ramos notes that qualified personnel who meet the state's requirements would still receive research-related data on portable storage media. Portable disks, however, can be easily lost or stolen.
"People will continue to be the biggest risk within security, and we can't eliminate them," says Jonathan Bingham, president of Intrusic Inc., a security software company. "Any time individuals are handling data, the data can potentially be at risk. The question is, how much risk is acceptable?"
The bigger issue, he says, is "the fact that our ability to effectively secure [computer] networks is so low right now that we can't enable researchers--whose hearts are in the right place--to have access to this information."
As Bingham sees it, network security systems need to place more emphasis on user behavior than on user authentication. "Regardless of how much protection you have in place, until organizations have an ability to understand compromises on their internal network, the data will always be at risk," he contends. "The attack-detection technologies like IDS and vulnerability-scanning systems are effective at keeping people outside the perimeter from getting in. But once they're inside, these systems become largely ineffective."