Safeguarding sensitive data

IT administrators adopt new solutions to protect government-hosted information


     David O'Berry, director of info systems and services for the South Carolina Department of Probation, Parole and Pardon Services (DPPPS), says data breach laws are meant to inspire any entity, which includes government agencies, to ensure the data they keep is encrypted in a safe digital ecosystem.

     DPPPS has a large mobile network, with more than 700 mobile-capable users including 400 remote agents in 46 courtrooms. In order to protect its confidential data, DPPPS recently began a conversion to McAfee's Endpoint Encryption, which secures laptops, PDA's, desktops and can encrypt single file folders if needed.

     Like Aladdin, McAfee also offers a thumb drive-like device equipped with encryption software. The McAfee thumb drive solution utilizes dual authentication, meaning the thumb print, user name and password are required get access to the information. Mark Rutledge, McAfee's director of business development for more than a year, and the former chief information officer for the state of Kentucky, explains that the stick can hook up to any PC, but users need to have the credentials to get to the information on it.

     "Now [safe access is] portable, it's protected, and you're not tied to a specific machine," he says. "If you want to take [information] from home to work, as long as policy allows it, now you have a way to transport it in a secure fashion."

     The law enforcement community in Tennessee found itself in a mess in December over its 5-year, $1 million project: the Tennessee Criminal Justice Portal. Col. Mike Walker of the Tennessee Highway Patrol (THP) says some authorized employees were abusing access to the Portal, which linked its approximately 850 agencies to the six state-hosted databases, by looking up local celebrities and political figures, as well as neighbors or ex-girlfriends out of curiosity. He says that if management had been able to see into the future, it may have avoided critique from a local news organization and the community. (See "Bad apples" on Page 22 for more on internal data abuse.)

     He says the misuse and abuse by employees may have been thwarted "if we had had more technology built into things and looked forward to what kind of reports management would need ... for some checks and some balances."

     Rutledge, who does not work with THP, says McAfee has several add-ons through its Data Protection suite that would provide management with an insight on how confidential and sensitive information is being handled by users, allowing policies and controls to be enforced.

     For example, when certain types of accesses are attempted by people who don't have the credentials, it can alert management and send a message to remind that his or her conduct is out of bounds, educating users in the process.

Damages

     If a breach is detected, in addition to notifying people, in some areas, punitive damage monies may be allowable under law for the leaked data.

     Complicating matters for government agencies are the data they must keep to operate - driving records, Social Security Numbers, vehicle registration data, criminal history, etc. It's no question of the value and necessity to track and maintain the latter records, but data breach laws require hosts - government or not - to notify individuals of a breach event. And attacks can come from anywhere, especially for DPPPS, which hosts offender data as well as victim information.

     "Anybody that wants to touch my data, I'm worried about," says O'Berry. "[The data miner] could even be inside. We don't really treat people that are inside any differently than we do [people] that are outside. That's one of the models that we're trying to get to: Just watch everything because you just don't want to take a chance."

     South Carolina's statute allows data hosts to be fined up to $1,000 per record that is lost. For an agency that safeguards data for upwards of 32,000 offenders, a breach of even a quarter of that amount at the maximum penalty could strike DPPPS with a total bill in the millions of dollars range. In a recessed economy with government budgets maxed and forecasts for millions of dollars of cuts nationwide, there's no margin for error on the subject of database protection.

  • Enhance your experience.

    Thank you for your regular readership of and visits to Officer.com. To continue viewing content on this site, please take a few moments to fill out the form below and register on this website.

    Registration is required to help ensure your access to featured content, and to maintain control of access to content that may be sensitive in nature to law enforcement.