With the recent data breach at OPM, the spotlight has firmly been on federal data breaches and the vulnerabilities that expose sensitive employee and citizen information to would-be hackers.
But the feds aren’t the only government targets vulnerable to attack, state and local agencies are also stewards and defenders of a large amount of financial, healthcare, and other personally identifiable information (PII). And while some agencies have made major investments and taken big strides in securing their systems, NASCIO reports that a whopping 76% of state CISOs feel that their budgets remain insufficient to tackle the increasingly sophisticated cyber threats that business and governments are routinely facing.
So what kind of threats to state and local agencies face when it comes to data privacy? DLT partner, Informatica, has identified five key cyber threats and challenges that apply specifically to state and local governments:
Privacy Weaknesses Perforate Revenue Agencies
Earlier this summer the IRS disclosed a massive security breach that gave hackers access to detailed tax-return information of 104,000 taxpayers (read more about how the IRS data breach occurred from DLT’s Chief Cybersecurity Technologist Don Maclean).
Recommended for YouWebcast: 5 Essentials Sales Managers Need to Know to Crush your Quarter
Despite previously claiming that progress had been made in correcting information security weaknesses, many have not been corrected. The recent IRS attack wasn’t a particularly sophisticated one either. According to Maclean, the IRS breach was “exceedingly low-tech” and “at the other end of the spectrum from the infamous and sophisticated Chinese hacking operations.”
But ensuring the privacy of the taxpayer data is not just a federal problem. In 2012, one of the biggest privacy breaches in recent times happened in 2012 at the South Carolina Department of Revenue. That attack compromised 3.6 million Social Security numbers and 387,000 payment card numbers, as well as tax payer address information. Most of the targeted data (as in the case at OPM recently) was unencrypted.
The fallout? At a minimum, a loss of taxpayer trust plus the cost of credit monitoring for those affected by the breach.
With the help of federal grants, many states across the country are implementing statewide longitudinal data systems (SLDSs) to capture and analyze student data from preschool through higher education to employment, reports Informatica. To qualify for a federal grant, an SLDS must ensure the confidentiality of student data according to the requirements of the Family Education Rights and Privacy Act (FERPA), which protects PII from being accessed without student permission. These systems are also subject to state privacy regulations. Consequently, states are under enormous pressure to ensure that no user or outside party can view PII data even as it is being aggregated and analyzed as part of an SDLS program.
Health and Human Services Programs are Fraught with Data Privacy Challenges
Welfare and contribution-based programs, such as cash and food assistance, unemployment insurance, etc. are hugely vulnerable to data privacy threats. With the launch of Obamacare, this problem is only exacerbated. The Affordable Care Act enables health insurance exchanges to use modified adjusted growth income (MAGI) data from the IRS to determine eligibility for health insurance and Medicaid. The IRS requires that HHS agencies hide or mast MAGI data so that other organizations can see eligibility results but not the data behind it.
HIPAA Privacy Rules
HIPAA privacy rules apply to all government healthcare organizations, including Medicare and Medicaid, Veterans insurance, and more. One of these rules calls for “minimum necessary” use and disclosure of protected health information (PHI). It mandates that policies and technologies be implemented to hide, protect, or mask any individually identifiable health information that’s not otherwise required to fulfill a specific purpose or request, says Informatica.
Government-Wide Social Security Number Remediation
Numerous agencies rely on Social Security numbers as a unique identifier in their systems, however in recent years many have implemented remediation initiatives to remove SSNs as the prime identifier or key. Yet, agencies widely report that SSNs continue to be collected and stored without a proper understanding of the business requirements for that data, claims Informatica.
Informatica suggests that a comprehensive SSN remediation program must be part of an overall governance plan that includes removing and securing personally identifiable information, including SSNs, and a process review of all systems to determine the actual business requirements of SSNs.
State and Local Agencies Don’t Need to be Left Vulnerable
For more information on what to look for in a data privacy solution and how Informatica data masking products have been proven to help state and local agencies achieve robust, transparent, and cost-effective data privacy, check out this whitepaper: Safeguarding Sensitive Data in State and Local Governments.