(Editor’s note: The following article is adapted from the California Department of Technology’s Statewide Privacy Program.)
Story submitted by EIS
The 1989 death of actress Rebecca Schaeffer is a prominent example of failure to safeguard confidential and personal data entrusted to a state agency.
In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer’s address through her California motor vehicle record.
The fan used her address information to stalk and to kill her, thus the enactment of the Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69.
Originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs), the DPPA prohibits the release or use by any State DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record.
It sets penalties for violations and makes violators liable in a civil action to the individual to whom the released information pertains.
Accidental data release led to stalking
More recently, in another department, a claimant file was inadvertently transmitted to an incorrect party. The recipient contacted the individual data subject and requested to meet her to return her information. After meeting her, the recipient proceeded to stalk her.
Today, due to similar potential harms, we see new privacy protection laws introduced and enacted each year. Almost 34% of reported incidents are information disclosure incidents involving the inadvertent mishandling of personal information.
Employee due care and due diligence are all that is needed to remedy this situation. Shared Responsibility Managers and Supervisors have the responsibility to ensure proper information handling policies and procedures are adopted, and that all employees are made aware of, receive training, and have acknowledged their understanding of these.
All employees, including managers and supervisors, have the responsibility to ensure they are following state and departmental policies and procedures.
Here are simple information-handling practices that help safeguard personal information:
Sending emails and faxes
Remove or redact confidential or personal information before sending, or encrypt and password protect the document if it must contain confidential or personal information.
Communicate the password separately via telephone or text message. Sending unencrypted emails are vulnerable to attack at every stage from sender to receiver. Keep in mind the data will be stored and accessible on email servers and in back-up files.
Triple check the recipient information. You can’t control information or a file once you hit “send”.
Retrieving documents off a printer or fax machine
- Triple check the information. Print jobs may get co-mingled with other print jobs, and could lead to an inadvertent information disclosure.
Public counter processing work
- Ensure records processed, provided or otherwise accessed are for the correct individual before they are released.
- Do not leave documents containing personal information unattended/accessible on public counter(s).
Traveling for work
- Keep the mobile device or computing device on your person at all times. 40% of incidents reported state the device(s) was left either unattended only for a few minutes or was left in a trunk/inside of a personal or rental vehicle and upon return they find that the vehicle has been burglarized.
- Refrain from leaving in an unlocked or locked and unattended vehicle or trunk. If you must leave device in a locked vehicle be sure to secure the device in the trunk or other concealed area before arriving at the destination.
Remote and telework
When/If authorized to take confidential and personal information home for purposes of remote work or telework:
- Ensure family and other occupants of a shared workspace or home do not have access to the confidential or personal information.
- Assign passcode to lock/unlock mobile devices and enable multi-factor authentication capabilities for computing devices.
- Keep the mobile or computing device locked when leaving it unattended.
- Do not store State sensitive or confidential information on your personal computer.
- Store any sensitive or confidential information on encrypted media provided by your department.
- Ensure confidential paper documents are properly disposed of, i.e. shredding.
- Report security incidents or security concerns to your supervisor immediately.
- Refrain from using personal email for business use and state issued email accounts for personal business.
- Always comply with your organization’s policies and procedures to protect specific high risk data elements regulated by HIPAA, IRS, PCI, etc.
- Never download or copy state data without your Supervisor’s authorization, and never to an unencrypted portable media device.