Texas’ Personal Information Data Breach Becomes Personal
Last week both my husband and I received letters from the Texas Comptroller’s office informing us that we were among the 3.5 million Texans who’s personally identifiably information (PII) including: Social Security numbers, birth dates, driver’s license numbers, addresses and other personal information was severely compromised because this data was posted to a publicly available server for more than a year. I anticipated getting the letter since first learning of the breach, but it still hurt to see it in black and white.
eWeek covered this story in a recent article and noted that once the data was in the hands of the comptroller, internal procedures were not followed, which caused the information to be left on a server accessible to the public and not be purged as required by internal procedures, according to the office.
So how appropriate that Diane Carlisle’s article in last week’s ARMA newsletter was entitled “Texas PII Massacre”…great symbolism Diane. In the article, she offered up suggestions from ARMA’s Generally Accepted Recordkeeping Principles® (GARP) for helping companies mitigate just this type of occurrence, including:
- Establish firm policies and procedures to ensure information is properly protected against inappropriate exposure.
- Train employees on the policies and procedures so everyone understands their responsibilities.
- Use technology to ensure only personnel with the appropriate level of security / clearance can access sensitive information
- Utilize encryption and other security protocols to protect information at all times.
- Conduct periodic audits and reviews to ensure established procedures are being followed.
A timely article this week in Law Technology News entitled “States Take Practical Steps to Respond to Data Breaches”, provides a good overview of state-specific PII data breach laws, describes best practices that have developed in response to them, and addresses the calls for a federal data-breach law. I noticed that Texas wasn’t included.
Here at StoredIQ, my job in marketing is to write about the benefits of our eDiscovery and information governance solutions, which provide organizations with a comprehensive, secure and efficient approach to meeting their governance and compliance needs. StoredIQ can help protect business-critical information and personally identifiable information assets such as account numbers, social security numbers, credit card numbers, as well as trade secrets, financial records, strategic business plans and IP/source code.
Don’t I wish that the Texas Comptroller’s office had StoredIQ in place. They could have proactively identified content that did not comply with their corporate governance policies – like storing me and my husband’s personal information on a publicly available server – helping to ensure that potential issues like this are addressed before they become legal issues.Share TOPICS: information governance, information management, PII, records management