Traffic Crash Records and Emerging Security Issues Traffic

  • Slides: 19
Download presentation
Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September

Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006

Summary of the Issue n n Recent improvements in the State’s traffic records infrastructure

Summary of the Issue n n Recent improvements in the State’s traffic records infrastructure and data accessibility raises numerous questions related to privacy and security of personal information contained in crash reports/data The release of traffic crash data (with personal identifiers) raises issues of particular concern

Types of Access n n n Crash data and image extracts Traffic Crash Reporting

Types of Access n n n Crash data and image extracts Traffic Crash Reporting System (TCRS) web application Crash reports received directly from the source (i. e. law enforcement)

How Could the Data Be Used? n n n n Sold to third parties

How Could the Data Be Used? n n n n Sold to third parties for commercial use/profit Identity Theft Providing false identity to law enforcement at time of an arrest Producing counterfeit driver license or ID Producing counterfeit checks Affecting credit ratings or criminal history Other violations of personal privacy Courtesy of Sgt. Jeff Yonker, MSP -CID

n In May 2006: Theft of laptop computer containing personal information on millions of

n In May 2006: Theft of laptop computer containing personal information on millions of veterans stolen from an employees apartment makes national news. n “VA hit with two class-action suits over data theft” June 6, 2006 n “Report: VA not doing enough to protect data: GAO finds veterans' information still vulnerable” June 14, 2006

n July 2006: Laptop computer owned by the USDOT containing personal information on 133,

n July 2006: Laptop computer owned by the USDOT containing personal information on 133, 000 pilots was stolen from a vehicle in Florida

n August 22, 2006: “Laptop theft puts 28, 000 IDs at risk Beaumont home

n August 22, 2006: “Laptop theft puts 28, 000 IDs at risk Beaumont home patients caught in tech epidemic”

Impact on Traffic Safety n n n Potential data security issues for crash reports

Impact on Traffic Safety n n n Potential data security issues for crash reports on over 350, 000 crashes each year. Criminal and civil liability for state and local users who possess crash data that includes personal information Potential for adverse negative political/media fallout for your agency in the event of a security breach

Act 26 Overview n n n n HB 4377 introduced March 28, 2979 by

Act 26 Overview n n n n HB 4377 introduced March 28, 2979 by Rep. Perry Bullard Public Act 26 of 1980 (Section 257. 624) Purpose was to allow for crash research while ensuring that personal information is protected, and to establish penalties for unauthorized disclosure Amended the Michigan Vehicle Code to permit OHSP to authorize release of crash data/reports only for scientific/medical research/studies Release of data/reports is not required Information not admissible in court Release of personal information to a third party prohibited with criminal penalties attached

History of Security Breach Laws n n n In 2003 CA passed what is

History of Security Breach Laws n n n In 2003 CA passed what is considered the first “security breach” law Requires the reporting of any breach or suspected breach in security that results in the disclosure of personal information to unauthorized parties Personal information defined as name plus any one of a number of identifiers (DLN, SSN, or credit card/account/PIN number)

Security Breach State Laws n n n To-date, thirty-one states have enacted security breach

Security Breach State Laws n n n To-date, thirty-one states have enacted security breach laws (Michigan not included) Michigan had two bills introduced in 2005 (HB 4658 and SB 309) Both bills would require breach notification within 5 days of any affected individuals through written, electronic, or substitute notice (email, website posting, and news release)

Key Questions n n n n Does your agency receive or possess crash data

Key Questions n n n n Does your agency receive or possess crash data with personal information/identifiers? How is the data stored in your agency? Is the data secure? How many people have access to the data? Who are they? (i. e. employees, students, etc. ) Do you keep records of those who have access? How do you ensure that once they leave your agency, they no longer have access? Could others gain or be provided access without the knowledge of your agency? Could the data be provided to unauthorized users without the knowledge of your agency? Can you guarantee the security of the data and that it will not be lost, stolen, or shared with unauthorized parties or individuals? Does the data ever leave your facility on a laptop or in some other form? Are there agency policies in place that restrict the transportation of the data to another location? If it is transported, how it is transported? Do you have a data security policy in place? Do you have an Incident Response Plan in place in the event of a security breach? Have you had discussions internally with data security or legal counsel regarding data security, liability, and associated issues? Do you have adequate liability coverage for damages resulting from a breach of security involving personal information?

Agencies Need to Consider n n n That sharing personal information obtained through Act

Agencies Need to Consider n n n That sharing personal information obtained through Act 26 with unauthorized third parties is illegal and subject to criminal prosecution That the risks associated with possessing unencrypted personal information, even for legitimate uses, are significant How a data breach would impact your agency n n Public confidence Credibility Criminal or civil liability Economic impact

Process for Release of Crash Data n Data and image extracts n n n

Process for Release of Crash Data n Data and image extracts n n n Continue to be processed under Act 26 by OHSP Data fields of concern have been identified New Agency Agreement form is in development Release of personal information (i. e. name, address, DLN, DOB) in the future more restrictive TCRS access n n System security issues Creation of a TCRS that is “sanitized” of personal information Use of TCRS limited to research under Act 26 approvals Authorizing agency transition from OHSP to CJIC

Data Fields of Concern n Form ID Fields n n CMV Fields n n

Data Fields of Concern n Form ID Fields n n CMV Fields n n n ORI Case Number Serial Number Carrier Name Carrier Street, City, Zip ICCMC Number USDOT Number MPSC Number Involved Party Fields n Party City, State, Zip n EMS Fields n n n Vehicle Info Fields n n n Ambulance Hospital VIN Number Plate Number Personal Info Fields n n DLN Name Street Address DOB

Recommended Action n n n Have respect for other people’s personal information Be sensitive

Recommended Action n n n Have respect for other people’s personal information Be sensitive to emerging security issues Determine whether your agency possesses personal information from crash data reports and take steps to mitigate risk Adhere to all provisions under Act 26 Consult with your security/legal advisors Take prudent and responsible action to protect the security of the data and yourself and your agency from criminal and civil liability

Recommended Action n n Be aware of ongoing changes at the state and national

Recommended Action n n Be aware of ongoing changes at the state and national level in response to increased privacy concerns and threats to security Anticipate how these changes may impact your agency

n n Access to crash data is critical to making advances in improving highway

n n Access to crash data is critical to making advances in improving highway traffic safety State and local agencies with planning/research responsibilities need access to crash data The challenge, and our collective responsibility, is meeting the needs of traffic safety researchers and planners while still preserving security of personal information and maintaining individual privacy

Questions/Discussion

Questions/Discussion