Our Government’s Un-American Response to Data Security

May 2007

The time to get our act together on identity theft is now.  Our nation’s government has explored the threat ad nauseum.  We’ve held hearings, called witnesses, solicited expert testimony.  We’ve paraded data brokers and bankers before congressional committees and recited their shortcomings.  We’ve felt the pain of the victims and wanted to wring the necks of the perpetrators.

Meanwhile, week after week, in breach after breach, the same government agencies that coerce us into handing over our most personal information keep putting our sensitive data in harm’s way.  They lose it.  They publish it online.  They sell it to anyone with a few bucks and a hole where their conscience should be.  For con artists and criminals, it’s a bonanza.  For the rest of us?  Not so much.

Yet despite all this drama, somehow we never manage to do what we know must be done to stop the hemorrhaging of information into the wrong hands.  Good intentions notwithstanding, there always seems to be an abundance of irrefutable reasons to do nothing: this solution is too costly, that one is too controversial, and they’re all too painfully inconvenient for consumers or businesses or government officials to accept.

We’ve been patient, but now we’re done.  The clue-train is pulling into the station, delivering the clear and obvious message that government’s time is up.  We need a strategy.  We need a solution.  And we need to see the kind of inspired, capable leadership that will get it done.

Moreover, that leadership—hypothetical or otherwise—must be coupled with real authority.

This month, we examined Google’s program to help state governments make online public documents more searchable.  Our investigation taught us something surprising about the chain of command that runs from the highest levels of state government to individual agencies and employees: for the most part, when it comes to data security, it doesn’t exist.

Consider the case of California, whose Chief Technology Officer, Clark Kelso, says he can suggest what agencies should do to protect sensitive data, but has no real power to make those suggestions stick.  With no unified plan and no single point of responsibility for the lax practices of state agencies and institutions, is it any wonder that California has such an abominable record of high-profile data breaches?  And California is certainly not alone in this.

What is nearly as outrageous as this lack of responsibility is the number of government agencies that have simply given up on getting it right.  If you want to see finger-pointing elevated to an art form, ask a dozen people in government which of them will take responsibility for coming up with a real solution to the slipshod data practices that are endemic today—and following through.  If you expect any of those public servants to chime in, you’re watching too much Ozzie and Harriet.

For the benefit of those politicians and civil servants who will be tempted to chant variations on “math is hard” in lieu of anything constructive, allow me to proffer a three-step outline describing how this problem must be solved.  Here, in a nutshell, is the obvious yet elusive path we must follow—that is, if we don’t want our economic system to come crashing down around us:

1.  Come to consensus on what information should not be public.  Let’s start with this: As long as knowing my Social Security number lets you open a new line of credit in my name—or access my phone records, or my tax and insurance information, or almost any other account you care to mention—I don’t want it where you can find it, buy it, or steal it. Period. Is that inconvenient for someone? Deal with it. And that goes for every other piece of information whose appearance in a publicly available document puts some individual’s identity at risk.

2.  Create an effective chain of command that can clean up this mess, agency by agency—top to bottom, stem to stern. Enforce top-down directives in federal, state and local governments, holding people accountable for failures and keying the timeline to the urgency of the crisis, not the comfort of the bureaucrats. And don’t use a lack of resources to excuse a failure to execute. Need more resources? Get more resources. The American people are with you on this one. Use that fact while it’s still true. Furthermore, lacking vast resources is not nearly as much the problem as lacking an intelligent, organized, executable plan. Our conversations with state officials and Google suggest the “inaction” problem lies more in inertia than budget.

3.  Defuse “land mine” identifiers. My Social Security number should be useful for precisely one thing: to identify me to the people at the Social Security Administration. The creeping use of the SSN for everything under the sun is the biggest single factor (after greed) fueling the identity theft explosion. Until we make the SSN essentially useless for fraud, the millions of SSNs already in the hands of criminals—and the millions more waiting to be stolen—will remain a threat to every American’s peace of mind.

Is it more complicated than this?  Yes, certainly.  But it might just help us get a solution underway if we can distinguish between the broad strokes and the devilish details.  It’s high time to stop enumerating petty obstacles and remind ourselves that we’re Americans.  When we really want to do something, we do it.  When we truly take responsibility for something, we own it.  If we fail to move forward to protect our own citizens’ identities, property, and livelihood, it’s a failure of will, not ability—and that really would be un-American.  We’ve complained long enough.  Now it’s time for action.  Let’s go do what we Americans do and make this happen.

By Adam Levin