Hancock Fears New Hacking Bill May Go Too Far By J. DOUGLAS ALLEN-TAYLOR

Tuesday December 07, 2004

A Southern California State Senator, reacting to last fall’s UC hacking incident, wants to repeal current California laws allowing state agencies to release social security numbers and other personal data to public and private sector researchers. 

State Senator Debra Bowen (D-Redondo Beach)—who has in the past authored laws restricting the use of Social Security numbers by businesses and government agencies—introduced SB 13 on the first day of the new legislative session this week. 

But a spokesperson for State Assemblymember Loni Hancock (D-Berkeley)—who has been working on this issue since the UC Berkeley hacking incident surfaced last month—says that while Hancock supports efforts to provide more security for personal data, “we don’t want to put a chill on needed research projects.” 

The sharing of Social Security numbers with private researchers by California public agencies became a political issue last fall when a hacker broke into a UC Berkeley computer that contained personal information of more than 600,000 California In Home Supportive Services (IHSS) workers and clients. The private information—including Social Security numbers, birthdates, and telephone numbers—had been placed on the computer by a Connecticut-based researcher working under contract with the state of California. 

Under current California law, state agencies may share such personal information with researchers, but the researchers must block out the information before placing it in a computer database. In this case, the personal information was not blocked out. 

No evidence has been presented that the hacker ever obtained the Social Security numbers or other private information on the hacked UC Berkeley computer.  

However this week, officials of the Department of Social Services announced that the state will spend close to $700,000 to mail warning notices to all 1.4 million individuals whose names and personal information were provided to the researcher. Last month, Assemblymember Hancock had called upon DSS officials to do such a mailing after DSS had decided to only do a media release and a web posting. 

As far as Bowen’s bill banning the dispersal of personal information to researchers, a release sent out by the State Senator’s office said the proposed bill would prevent state agencies from turning over personal information to anyone “unless it is required by law for law enforcement purposes.” 

Saying that Social Security numbers are “the one key criminals need to unlock someone’s entire financial history,” Bowen said that “the responsibility for safeguarding or removing [the numbers] shouldn’t have been on the researcher, it should have been on the state.” 

The senator added that while the Department of Social Services “may have had the authority to hand 600,000 names and Social Security numbers to the researcher, that doesn’t mean it was a smart thing to do. The state needs to take a hard look at its laws on data sharing, because most of those laws were written decades ago.” 

But Assemblymember Loni Hancock chief of staff Hans Hemann says that might go too far. 

“One of the fears that we have is that we don’t want to kill research projects that are going to give us important information,” Hemann said. “The state has data of various types of things that does need to be researched, and we just need to make sure that there are policies in place and enough security measures taken that these breaches don’t occur. But I’m sure that Senator Bowen is going to take that into account. 

“Loni wants to make sure that we have statewide protocols and procedures in place so that when people are using confidential identifying data for research, that information cannot be used for purposes of identity theft. We haven’t seen Senator Bowen’s bill yet, but we certainly are in favor of adopting such protocols and procedures that still allow research to continue.” 

Hemann said one of the problems with redacting Social Security numbers before giving data to researchers is that researchers need a tracking number to identify individuals in a data set. “I think what DSS did was rather than going in and creating 1.4 million new distinctive tags for each client or worker, they just sent along the Social Security number,” Hemann said. “If I recall correctly, in one of the briefings DSS representatives said that we could have and yeah, maybe we should have, included a different identifier with each of the clients.” 

He said that this is one of the problems which state and university officials are attempting to work out. 

Hemann said that since the hacking incident, Hancock’s office has been working with the Health and Human Services Agency and the Department of Social Services “to try and come up with a better mechanism so that data doesn’t get released. They have put together a task force to try to set standards so that these types of breaches don’t happen again. UC Berkeley is going through a similar review of their policies. Apparently when they looked at this project they viewed it simply from the individuals’ perspective—are there any concerns with the interviews that were going to take place between the researcher and the individuals—and they didn’t think about doing a review of the identifiable personal information. Of course, they now realize that they were lacking.” 

Hemann also gave insight into how the Social Security numbers and other personal information may have ended up on the UC Berkeley computer despite state policies prohibiting that practice. Hemann said it was his understanding that the IHSS data was placed by the private researcher on her own computer, which was then connected to the UC Berkeley system. 

“There was one point where she was having the computer installed on campus and had the university employee strictly followed the protocol and asked all the right questions, the data would not have been put in an area that would have been so vulnerable,” he said. “There was one question they failed to ask.” The question left unasked was whether the personal information had been redacted. 

Meanwhile, no arrests have been made in the Aug. 1 hacking incident that highlighted the problem in the first place. A spokesperson for the Federal Bureau of Investigation office in San Francisco said that the FBI has an “ongoing investigation” in the matter. The spokesperson said no further details on the pending investigation could be released at this time.