Latest loss of veteran data teaches more than one lesson

News this week that the personal records of as many as 70 million U.S. veterans were contained on a faulty hard drive sent by the National Archives and Records Administration (NARA) will once again serve to highlight disconnects between security and data privacy policy and practice. The public comments made by NARA officials concerning this incident also highlight some of the issues with current exceptions to data breach disclosure rules put in place by the federal government.

The security problem in this incident is that the media in question was not sanitized as it should have been according to federal and Defense Department policy. NARA had no intention of sending any data out of its custody; it merely wanted the hard drive repaired. NARA officials have defended their actions by saying that the return of hardware media such as disk drives is a routine process, and the fact that unencrypted personal data was on the drives doesn’t violate any rules. The situation was brought to light through the actions of an IT manager who reported it to NARA’s inspector general. NARA had not disclosed the loss of records to federal authorities (which it is required to do under federal regulations even if it believes no actual breach of personal information has occurred), and also chose not to notify veterans whose records might be affected. The manager who reported the breach and agency officials appear to differ markedly on whether the situation constitutes a breach: one the one hand the manager characterized the loss as “the single largest release of personally identifiable information by the government ever,” while the official position stated by the agency is “NARA does not believe that a breach of PII occurred, and therefore does not believe that notification is necessary or appropriate at this time.”

The position articulated by NARA calls to mind the “harm” provision in the personal health data breach notification regulations issued by HHS and the FTC that went into effect last week. In a change from the language in the HITECH Act that mandated the regulations, the final version of the HHS rules include an exception to the breach notification requirement if the organization suffering the loss of data believes that no harm will be caused by the loss. (The FTC rules have no such exception.) The self-determination of harm and the incentive organizations would have to minimize the estimate of harm to avoid disclosing breaches has angered privacy advocates and seems likely to result in under-reporting of breaches. The difference between the common sense perspective and the official NARA position on this latest data loss is strong support for the argument that leaving the determination of significance about breaches up to the organization suffering the loss will result in individuals not being notified that their personal information may have been compromised.