Over the last 20 months, hundreds of thousands of Wisconsin residents' Social Security numbers and other information have been disclosed in at least four known privacy breaches.
In one instance, employees at a utility company were found looking up information on family, friends and ex-lovers. In others, protected information was accidentally mailed out on separate occasions by three state agencies. At UW-Madison, information on some 200 employees was accessible online.
These incidents have led Sen. Jon Erpenbach (D-Middleton) to call for a state privacy advocate office, to be tasked with centralizing dozens of state databases and safekeeping residents' confidential information. Meanwhile, Gov. Jim Doyle has hired a Milwaukee-based privacy consultant to draft recommendations on how Wisconsin can prevent further breaches.
These breaches aren't unique to Wisconsin, however. According to the San Diego-based Privacy Rights Clearinghouse, nearly 220 million personal records nationwide have been accidentally disclosed by private businesses, state institutions and universities since 2005.
Erpenbach recently spoke with The Daily Page about how the Legislature can better protect citizens' privacy and the whether that is likely to happen.
The Daily Page: You've called for a privacy protection advocate. In a perfect world, what kind of teeth would this person have?
Erpenbach: Basically, it's a consumer privacy advocate who works not only behalf of the state of Wisconsin, but as a watchdog over the state that deals with the handling and transfer of sensitive information and makes sure the agencies are doing exactly what they're supposed to be doing. The office then needs to have some sort of authority to basically override agencies' decisions when it comes to the handling and transfer of information. With the information that we're dealing with at the state level and the breaches we've had lately, everybody should be pretty concerned.
Do we even know how many databases are out there or what kinds of safeguards they have in place?
Jeez, I'm looking at this way: Everybody in the state of Wisconsin is in at least one database, if not several dozen. You hunt, you fish, you pay taxes, drive a car, on and on and on. If that state's going to require that information, just like any company, they have a responsibility to make it's as secure as it can. These kind of "Oops! I'm sorry," sort of things, they're kind of getting frustrating. And it's not just the state. There's been some breaches within the private sector as well. I would tend to think that at some point you'll start seeing legislation being taken more serious.
Do you get the sense that the Legislature is taking this issue seriously?
I think they're taking it more seriously now. When you think of it, there's information all over the place. Credit companies are asking for more and more information. Blockbuster is asking for more information. Everybody is asking for more information. Companies and the state need to do a better job about being up front about what they plan to do with that information. We need to get more into an opt-in world as opposed to an opt-out world. Right now, if you don't want the information sold, you have to opt out otherwise they assume you do. Legislators are obviously concerned about this, but I don't think they're concerned enough as a group to really deal it.
Currently, institutions and businesses have 45 days before they have to notify citizens of privacy breaches. Considering a lot of damage can occur in just a few hours, why is this window so large?
I don't know what it is, but if that's it, it's too long. I've been fortunate enough to never have had my identity stolen, but I've spoken with people who have. We're not talking about people taking a few hours out of their day or month to get things straightened out. We're talking years. The credit companies and everybody are better at taking action. But at the same time, once it's stolen, it's really difficult to get everything in order. Government needs to act quicker on behalf consumers to give them more power to deal with identity theft.
What can government and industry do to protect sensitive information from employees?
Let's say somebody works at a utility company and they're getting into records, there's computer footprints all over the place, they should be able to track that back to the employee. Companies are beginning to realize that they really need to limit the access to people who really have to have it. Just because you work at a particular place doesn't mean you should have access to information on clients or employees.
What are the odds that a privacy advocate will materialize in the foreseeable future?
The upside to a breach is that every time something like this happens, the call for a consumer privacy advocate becomes a little louder. But you don't want to have breaches be the reason why you're putting something in place, you'd rather have something in place first before something happens.
Every time there's a breach, we start talking about who's responsible and who did this, when if you had one entity basically overseeing the state databases and controlling the flow of information between agencies and the companies that the agencies contract out with, I think things would be smoother. I think you'd see fewer breaches and I think our information would be more secure.