On July 8, a letter from the Securities and Exchange Commission was sent to some of its current and former employees stating that personal data was accidentally transferred to another unnamed government agency. This incident has some citing it as an example of the problem with the government having its hands on all your data.
Names, birth dates and social security numbers of current and former SEC employees, was transferred “inadvertently and unknowingly,” according to the letter obtained by The Hill, on a former employee’s thumb drive as he was moving jobs to another agency. SEC was not made aware of this exchange of information until 10 months later.
“We deeply regret this occurrence and apologize for any inconvenience this incident may cause,” Bayer wrote in the letter, according to The Hill, which confirmed with SEC the letter’s contents applying to employees working there before October 2009. “Please be assured that the SEC is committed to protecting the information with which we are entrusted.”
Lucky — if you would call if that — for those involved, this data breach remained within the systems of the federal government, but to Hester Peirce, a former staff attorney for the SEC who was informed by the letter her data might have been compromised, it highlights the problems the government has handling some sensitive information.
“What if he’d gone to the private sector? What if he’d dropped that thumb drive somewhere, with mine, and I’m assuming quite a few other people’s, personal information?” Peirce asked, according to The Hill.
In an op-ed for The Hill, Pierce, now a senior research fellow at the Mercatus Center at George Mason University, detailed her thoughts further, calling it an “ironic twist” that she received this letter informing her of the breach the same day it was revealed the IRS had accidentally published “tens of thousands of social security numbers. It was also the same day, she noted, that Steven Antonakes, the acting deputy director for the Consumer Financial Protection Bureau, was telling Congress it “makes every effort to safeguard and protect the information that it does obtain.”
In writing about the SEC data breach, Peirce called it “commendable” that the former SEC employee had been hoping to use already developed templates in his future work for the government and that his mistake was “understandable.”
“But that is exactly the problem,” Peirce continued. “The government can earnestly promise that it will protect your data, but—staffed as it is with humans, some of whom are diligent but careless and others of whom are ill-intentioned—it cannot honor that promise.”
With this in mind, Peirce takes the opportunity to discuss why she finds “CFPB’s data collection efforts [...] troubling.”
CFPB, according to Antonakes’ testimony before the House Committee on Financial Services on July 9, is creating a National Mortgage Database that it believes “will help to fill the information gap with loan-level data of a random and representative sample of mortgages.”
Antonakes stated that the database would not include personally identifying information and that “agencies will implement safeguards against potential re-identification of individual borrowers.”
But Peirce disputes that personally identifiable information could be obtained through CFPB:
The fact is, the CFPB does have some personally identifiable data and—using a little bit of elbow grease or the computer wizardry of its Generation Y workforce—can probably tie a named consumer to the allegedly unidentifiable data it has. This task will be made easier if, as the U.S. Chamber of Commerce suggests, the CFPB is executing a plan to require banks to catalogue the consumer data they provide to the bureau according to individual identifiers.
But no worries, as the CFPB told Congress, it “stores and protects personally identifiable information, along with other confidential information and data, according to information security requirements that comply with applicable Federal laws and regulations.”
What’s more, Peirce explained to TheBlaze in a phone interview that it wouldn’t be too hard for CFPB to tie together such information to track some purchases being made.
“They don’t need that kind of data that they’re getting” to analyze what they want to,” Peirce told TheBlaze. The ability of a government agency to be able to track purchases, Peirce said, she found “troubling.”
Of course, CFPB protects sensitive information according to the law. Peirce points out that the SEC does too — and look at this recent, accidental leak. And let’s not forget all the times the hacktivist collective Anonymous has infiltrated government systems.
“The government, like any other human organization, will inevitably be subject to data breaches,” Peirce wrote. “That is why we ought to be awfully sure that regulators really need data before we start handing it over to them.”
She did concede to TheBlaze that she understood some agencies, depending on their mission, are tasked specifically with collecting data.
“But that doesn’t mean they should be given it with an open hand,” she said, noting again that Congress needs to adequately put checks on what data — and how much — is given to whom.