On Aug 25 2006, I published +$26 Billion in Privacy Act Fines for Feds in 2006, a diary discussing the "wave of security breaches... [which] cumulatively represent[ed] an attack on the identity and financial security of around 10% of the American population."
A number of security breaches this January raise the same issue with a new twist: An irresponsible government contractor (Monster.com) has been hacked, resulting in the loss of control of private information submitted to the Office of Personnel Management by job seekers (via USAJobs.gov) during a period of rising unemployment.
2005 was "the year of breaches", in which ChoicePoint and the National Nuclear Security Administration were hacked. In 2006, Veterans' Affairs Department got top billing for having lost millions of private records on unencrypted laptops (ibid). In 2007, the FBI admitted to fraudulently obtaining National Security Letter wiretaps (?) and DHS admitted that it had lied about the extent of TSA's collection of private information (?). In 2008, the election season dominated with hacked Yahoo!mail accounts, foreign interests stealing policy documents, minor website breaches, and individuals getting fired from the US Passport office for peaking at candidates' travel records.
Welcome to 2009, the first hit (as is appropriate in the economic climate) is a Monster.com hack (?+?+?)resulting in the loss of ~2 million private records, and a related hack of USAJob.gov (?+?+?) resulting in the loss of ~150 thousand. Many of the victims will include people now working for the Administration.
At a statutory minimum of $1000 per record established by 5 USC 552(g)(4)(A) for the 146,000 admitted (so far) and we're talking about $146 million in Privacy Act liabilities within the first 10 days of the present Administration. Maybe it sounds better is we just think of it as a $1000 for applying for a federal job. [UPDATE 31JAN2009: In the comments, sweetie4obama brought up Doe v. Chao, a 2004 case in which SCOTUS ruled that actual damages had to occur before the $1000 payment applied.]
I won't hold the President and his Administration responsible this time, but only because the inauguration was 10 days ago. Substantial policy attention must be dedicated to issues of data security and personal privacy in order to repair the damage of eight years.
This needs to change.
...
Sophos Labs' vcast entitled What the Monster.com security breach teaches us about passwords: