A California state agency and a prestigious state university admitted last week that they had put hundreds of thousands of Californians at risk of identity theft -- but did it have to happen? A computer operated by a University of California at Berkeley researcher was accessed by a hacker, who may have swiped a database including a whopping 1.4 million records containing residents' personal information, including their Social Security numbers.
The data originally came from California's Department of Health and Human Services, a list of everyone who received or provided care in California's In-Home Supportive Services programs during the past three years. A researcher-in-residence at Berkeley was using the data to study the effects of wages on employee turnover and health care quality, according to the school.
The participants were not notified ahead of time that their personal data was going to be shared with the school. They were notified last week that the data had been exposed to a hacker, as required by a 2003 California state law that requires notification if a company or state agency has reason to believe personal data has been compromised.
Accidents happen, say both agencies, who admitted to the mistake last week but gently blamed each other for the mishap. But experts who study privacy are wondering: Why were Social Security numbers necessary for the researcher's work?
The incident shines a light on the cavalier attitude organizations -- including government agencies -- take with securing consumer data, said Rob Douglas, a privacy consultant who operates PrivacyToday.com.
"Why do they use SSNs for research? Simple answer. They do it because it is easy for them and they don't give a damn that SSNs, by law, are not to be used that way," Douglas said. "It is just lazy and reflects the undeniable fact that no matter what government tells us, they have made the SSN the national identifier and refuse to honor the commitment that was made to the American people at the time of the creation of the numbering program as part of Social Security."
Douglas said the Social Security numbers could have been removed from the file, and an alternate unique identifying number placed in their stead.
Used to create random sample, school says
But George Strait, head of Berkeley's Public Affairs office, said Social Security Numbers were essential to the researcher's project. She has worked on similar projects in other states, he said. The researcher selects a subset of participants in the program, then does extensive follow-up interviews. For the study to be relevant, a truly random sample must be selected for the interviews, Strait said.
"The way you get the random sample involves (Social Security numbers)," Strait said. "For a short period of time she needs the personal identifiers. When that elapses, she gets rid of the identifiers and goes on about her business. Unfortunately, during that time she got hacked."
Strait said he did not know if there were effective, alternate means for generating a random sample that didn't involve Social Security numbers.
Carlos Ramos, spokesman for the agency that gave Berkeley the data, said he didn't know if it tried to offer the data to the school with the Social Security Numbers removed. But the researcher did specifically ask for the key piece of personal information, he said.
"And later on in the request there is specific information on how they would secure it," Ramos said. Those promised steps weren't taken, he said.
He defended the practice of sharing the agency's data with researchers.
"We are always looking for ways to improve the quality of our services," he said. "One way to do that is through research."
But California state Sen. Debra Bowen (D- Los Angeles), who has authored several pieces of privacy-related legislation, was sharply critical of the state agency.
"There's no reason why a person doing research on the salaries of IHSS workers needed to have access to people's names, home addresses, and Social Security numbers," she said. "Whether the state had the legal right to give them out as part of a research project isn't the issue, the point is the state should have been smart enough not to turn that kind of sensitive information over, period."
Meanwhile, other researchers say the same study could have been conducted without putting California residents at risk.
'Frankly appalling'
"I think it was frankly appalling that the California Health and Human Resources Department allowed the data to be resident on UC Berkeley computers in the first place," said Avivah Litan, a researcher at Gartner.
"They could have easily insisted the researcher come to their site and if warranted, study the data within the confines of their own presumably-secure computer systems. This begs the question: where else is confidential citizen data residing? And how many other companies, universities and other institutions have had break-ins that are not disclosed?"
California has the only mandatory data-leak disclosure law in the nation.
Ramos said that while a hacker did access the researcher's computer back in August, it's not clear that the file containing the information was actually stolen. So far, consumers have not reported mischief on their credit files related to the incident, he said.
The California Office of Privacy Protection, which helps the state administer its aggressive privacy laws did not immediately respond to interview requests. A new state law, which takes effect in 2005, goes even farther than current legislation, providing penalties for agencies that fail to protect data. This incident probably represents a violation of that law as well, Litan said.
"If that law were effective today, California could end up suing its own state government for non-compliance," she said.
Bowen said she was frustrated that government agencies may have played a role in easing the work of identity theives.
"It's maddening to see that some people in the state, especially in a state agency that handles this kind of sensitive information, still don't get it," she said. "Preventing identity theft is far cheaper and more effective than trying to track down criminals after the fact, but it's pretty tough to prevent identity theft when you turn over hundreds of thousands of Social Security numbers to someone without bothering to ensure the information is protected."
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic.