ID theft protection lacking
As a defense against identity theft, the state started requiring last year that local government agencies with personal information on individuals to file an annual report, including the number of people and type of information tracked.
The creation of such a reporting system was the No. 1 recommendation of a 2007 Hawaii task force on identity theft prevention that found that government agencies don’t do enough to protect people’s privacy. Just 37 percent of all state and county agencies have filed the confidential reports that inventory government computers with personal information.
Many agencies that should have filed the report did not because of a misunderstanding between county and state officials.
For example, Hawaii County has 52 agencies or offices that potentially retain personal information on employees or consumers. None of them filed an annual report with the state’s Information Privacy and Security Council.
Hawaii County spokesman Kevin Dayton said Big Island agencies collected the required information but were unaware the reports needed to be forwarded to the state. All Hawaii County agencies are now updating the reports and will submit them "very quickly," Dayton said.
Up to 212 state and county agencies were identified as potentially needing to file the reports that were due Sept. 30, 2009. As of earlier this year, 66 agencies filed reports stating that they kept personal information while 12 agencies reported that they do not maintain computer systems containing personal information.
Don't miss out on what's happening!
Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!
ID PLEASERecent cases of possible state identity disclosures: » January: A filing cabinet at the Department of Health was lost during an office move. It’s believed that the cabinet contained personal details of two people. » Last year: Financial aid records of more than 15,000 Kapiolani Community College students may have been compromised by a computer virus. » Late 2008: The Department of Land and Natural Resources inadvertently posted on its website scholarship letters and Social Security numbers for eight people. |
The remaining 134 agencies — including police departments in Honolulu, Maui and Kauai — did not state whether they had such systems, according to an April 30 report by the Information Privacy and Security Council, the latest filing available. The Kauai Police Department did file a report stating that it kept personal data on computers.
Sen. Will Espero (D, Ewa-Kapolei-Ewa Beach), who co-introduced and supported legislation requiring filing of the reports, said it seems some agencies didn’t give the initiative enough priority. Espero pegged the blame partly on government cutbacks.
The agency reports were supposed to be used to create an inventory of computers with personal information to increase oversight and planning and facilitate investigations of data breaches.
The Big Island wasn’t the only county that failed to provide the reports. None of Maui’s 56 agencies submitted the personal information systems report, according to the council, which is responsible for tracking the progress of government agency compliance with personal information system policies.
Maui County spokeswoman Mahina Martin did not provide responses to questions relating to this story.
The Information Privacy and Security Council was created under Act 10 of the first special session of 2008. That act was aimed at implementing the recommendations of the Hawaii Identity Theft Task Force, which met from 2006 to 2007.
The 23-member task force found that state and county agencies don’t do enough to protect their 20 million to 30 million records that contain personal information. The task force urged agencies to secure their records and limit collection of personal information such as Social Security numbers. The task force also called on agencies to implement security policies and better educate government workers about personal data security issues.
The task force’s No. 1 recommendation was to require agencies to file a report on systems that use personal information. Under state law personal information includes unencrypted names and Social Security numbers, driver’s license numbers, and bank account and credit card information.
State Comptroller Russ Saito, who serves as chairman of the Information Privacy and Security Council, said some of the agencies that did not submit their reports on time have since complied.
Saito said a lack of staff and funding have made it difficult to enforce Act 10.
"The Information Privacy and Security Council does not have any staff or funding," he said. "This makes enforcement of compliance with the act impracticable. It also has made the collection and monitoring of the 500 different reports and designee information a challenge."
Separately, state agencies are required to disclose security breaches that result in the release of personal information under Act 135 of 2006. The most recent disclosure was in January at the Department of Health when a filing cabinet was lost during an office move. It’s believed that the cabinet contained personal details of two people.
Last year, the financial aid records of more than 15,000 Kapiolani Community College students may have been compromised by a virus that affected a computer with access to financial aid records of students from Jan. 1, 2004, to April 15, 2009.
And in late 2008, the Department of Land and Natural Resources inadvertently posted on its website scholarship letters and Social Security numbers for eight people.
Gary Caulfield, who served as chairman of the Hawaii Identity Theft Task Force, declined to comment on the Information Privacy and Security Council report. However, Caulfield said the state appears to be making progress with its personal privacy policies.
"Obviously anything that has been done is better than what it was," he said. "Anything we can do to protect the confidential information of consumers and the public is a good thing."