As I sit here reading my data breach notice from the United States Office of Personnel Management regarding their loss of my personal information (name, DOB, SS#), I can’t help but be angry.  Yes the OPM had a legitimate need for my data.  In 2005.

I have not had a government security clearance since leaving law enforcement in 2005, when I was assigned to an F.B.I. task force.  At the time, I needed the clearance to have access to Bureau computer systems and workspaces. I left my life as a crime fighter in 2005 and have been working in the private sector ever since.  I have not been listed as a reference on anyone else’s background checks, nor have I applied for any Federal positions that would require any OPM background processes.

For the life of me, I cannot figure out why my data would be maintained by the OPM in an active, connected database ten years after any legitimate purpose concluded.  Had my data (and that of millions of other former employees, contractors and individuals) been moved to a non-active system for archiving, that was not connected to active systems, my personal information and that of millions of others would probably not have been exposed.

Who saw the data?  Maybe it was the government of China.  Perhaps it was a group of cybercriminals looking for identities.  Maybe a non-state entity selling the data to the highest bidder.  Who knows.

What I do know is that this isn’t the first time I have received this type of letter, and I am confident it will not be the last.

A little over a year ago, I received a letter from the Maricopa Community College that they had experienced a data breach and my personal information (name, DOB, SS#) was included.  Maricopa Community College?  2013?  I graduated from the University of Arizona (Bear Down!) in 1994, not Maricopa Community College in 2013.  Then I recalled that I had taken a one-day photography class held at a neighborhood community center that was offered through the Maricopa Community College.  In 2008.

Five years after attending a one day “fun” class and then no subsequent interaction with M.C.C, and they felt it prudent to have my name, DOB and SS# in an active, connected computer system that was subsequently breached.

Are we seeing the trend here?

Data containing PII (Personally Identifiable Information) that is clearly relevant to an organization AT ONE TIME is being held for far too long in systems that are connected, ultimately, to the outside world.  When they are breached (it is a “when” not “if” nowadays), all the stored data is compromised and the all too common “we lost your PII” letters get mailed out along with a meager allotment of “free credit monitoring” (at least the OPM offered three years of monitoring instead of the typical one year).

Why do organizations feel the need to keep old, irrelevant data active in their systems long after it is even remotely useful?

Perhaps it is cost.  Does it cost more to actively police the archiving of data once it reaches a certain “age” and then remove it from the system than it does to explain to shareholders and customers why an organization let PII be stolen?  How do the government fines for releasing PII factor into this cost equation?  Lost reputation?  What about the fees for the credit monitoring provided to end users?

Maybe it’s convenience.  If an organization believes you will ever return to their fold, is it easier to simply keep your data “live” so that when that day comes, your PII is readily available and does not need to be restored?

Perhaps it boils down to indifference.  The actual issues raised with a data breach have become fairly commonplace and so organizations don’t have much to fear in terms of a data breach.  It’s so common that I wonder if there is really any negative publicity associated with a breach anymore.

So what could make this less damaging?

My immediate thought, based on my personal experiences, would be for a mandatory “sun-setting” of data after a reasonable period of time.  Three years sounds reasonable.  If I don’t re-engage with an organization for a period of three years, that organization should be required to remove my PII from their active, accessible systems.  It’s my PII, after all.  Shouldn’t I have some say in what happens to it?  I understand I may not be able to control how well an organization safeguards my PII while it is active (although I could surely support organizations with strong track records and avoid those with spotty performance) but after the three years are up, my data must be removed from your system.  Let’s face it, if you have not engaged me in a way that has made me a customer, patron or involved user in three whole years, I don’t belong to you, and my PII certainly does not either.



ABOUT Peak Forensics: Peak Forensics is a full service Computer Forensics, Electronic Discovery and Consulting firm in Phoenix, Arizona.  Peak Forensics fills a need for experienced, professional computer forensics services, client centric electronic discovery and seasoned testimonial and trial consulting services.  Peak’s CEO and founder, Jefford Englander, has been actively participating in computer forensics and ESI investigations for 15 years and has a background in local and federal law enforcement and the civil litigation realm.  From ESI collection to forensic analysis, hosted review, reporting and expert testimony, Peak can lead you to focused information.