Home > Property & Casualty > A Texas-sized data breach expensive for state government

A Texas-sized data breach expensive for state government

The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.

The Facts

The breach occurred after various state agencies and entities transferred information about individuals to the Comptroller’s office for use in verifying unclaimed property records. The information was required to be provided to the Comptroller by state law. Unfortunately, there were several missteps in how the data was transferred and handled. For starters, the transferred files were required to be encrypted — but they weren’t. Then, according to the Comptroller’s office, several additional internal data security procedures weren’t followed in the handling and storing of the data. Perhaps the most egregious violation: the information was stored on a computer server that was accessible to the public – for more than one year. The Comptroller’s office said that there was no evidence of identity theft resulting from the breach, but declined to say whether large amounts of sensitive data had been downloaded before the compromise of security was discovered. The Texas attorney general’s office and the FBI have begun a criminal investigation into the matter.

The Costs – So Far

$1.8M, and counting. Since the breach was discovered on March 31, 2011, the Comptroller’s has office spent about $1.2M to send notices to the affected individuals, about $393,000 to set up a call center to provide assistance to those with questions, and another $290,000 for technology consultants to review the agency’s data security policies and procedures. In addition, the Comptroller has negotiated arrangements for the provision of credit monitoring services, identity theft insurance, and other protective services. All of these are first-party, out-of-pocket costs. Apparently no lawsuits have been filed yet.

The magnitude of these expenses may have been driven by political concerns as well as by post-breach “best practices.” While the Comptroller engaged technology consultants to review the office’s procedures and policies, it wasn’t clear from news reports whether the Comptroller also engaged forensic investigators to thoroughly examine the extent to which data had been actually accessed by third parties. It would not be surprising for a political entity to undertake extensive and potentially unnecessary measures to show the public that it is aggressively dealing with a breach. It is axiomatic in data security circles that the cost of providing breach notices is inversely proportional to the speed with which they are provided. Careful forensic investigation often reveals that a breach was in fact much less extensive than initially feared. Entities that quickly send notices based on possibly compromised personal information may subsequently learn that forensic investigators were able to determine that little data was actually accessed. Perhaps the Comptroller’s response was required by state law or regulations, or based on information not disclosed in news reports. But it seems quite possible that actions were taken with a goal of alleviating taxpayer anger, and not just of complying with legal requirements.

The Oft-Repeated Lessons

It would be easy and tempting to pass off the Texas situation as a unique situation caused by especially egregious errors. The oversights were blatant, but it is important to remember – constantly – that very often the fault lies not in our policies, but in ourselves. Maybe the technical consultants hired by the Comptroller’s office determined that the agency’s data security policies were appropriate (although that seems doubtful). But as the agency’s spokesman said, “This is a case of when human error can come into play.” Most breaches are. Even the best data security policies and procedures can fall victim to the willingness of people to follow them zealously.

The pain of paying for a breach is probably as great whether the cause is hacker supremacy, policy inadequacy, or human frailty. Transferring some of the cost of dealing with a breach is not a moral judgment about the quality of an entity’s data security policies and procedures. It is a financial tool that can be a valuable part of the entity’s risk management practices. Governments as well as companies should consider protecting their coffers from the substantial costs that will be incurred in the event of a breach – regardless of its cause.

Connect with John Doernberg on LinkedIn.

Shareshare on linkedin twitter Share on Email

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s