10Jul2015
Today the United States Office of Personnel Management
revealed that its data breach affected tens of millions of individuals. The OPM’s Director resigned.
The stolen data included personal information about:
- Current government workers
- Former government workers
- Relatives and associates of current and former government workers
The OPM had information about the last group because they
investigated people close to government workers who requested security
clearances. Such investigations seem
reasonable because interpersonal relationships can be more compelling than
patriotism. If a government worker is
going to be trusted with state secrets, it seems worthwhile to inquire whether
s/he has close ties to people who support our enemies.
The legitimacy of collecting this Personally Identifiable
Information (PII) – including Social Security numbers – is not the question
here. The question is: How long should the PII have been retained?
According to media reports, the oldest of the stolen data is
decades old. Had it passed its
usefulness? Was there any reason to keep
it? Was there a Records Retention
Schedule at the OPM? Was data disposal ever practiced?
Unknown millions of Americans are now vulnerable. Here’s a personal example: In 1979 and 1980, my wife worked for the U.S.
Census. The position ended in June of
1980, and she has not worked for the public sector since that time. Fast forward 35 years, and we are told that nefarious
hackers may have her Social Security number, birth date, and other PII.
It is beyond my ken to imagine a reason the OPM should have
retained my wife’s data. It could not currently
serve a legal, regulatory, operational or historical purpose. Just the opposite: for decades, the unneeded
PII has needlessly used tax dollars to pay for storage, slowed searches, loaded
servers, and more. The breach will
entail tens of millions of notifications, credit monitoring, loss compensation,
and more. What a waste! It reminds me of my friend’s comment when we
noticed five DOT workers watching a guy with a shovel fill a pot hole: “Your
tax dollars at work.”
I don’t say this to disparage government workers. I can personally attest that most are
hard-working, dedicated, and honest folk who give more than they get.
The OPM’s practice of records management gets a much lower
grade. Surely there will be
investigations that try to assign blame, fix fallacies, and improve bad
practices.
I suggest that the improvements start with a revised Records
Retention Schedule and an emphatically enforced records disposal program.
Posts
Gordy:
ReplyDeleteIt appears that actual over retention may have occurred based on the OPM records control schedules, available on NARA's web site. Appears that cases with "potentially actionable issues" are to be retained for 25 years after closure, and other cases 16 years after closure.