This post is an urgent plea to the State of Georgia to stop acting foolishly and carelessly in responding to its foolish, careless breach of 6 million social security numbers, drivers’ license numbers and perhaps other sensitive personal information (SPI). Much of the harm even in breaches caused by foolish disregard for harm is caused by failures to respond well, and that is the harm that the State is causing every minute of every day now. The media does not understand this, is focused on the sideshows like lawsuits that have no chance of protecting anyone for any meaningful period of time, so this is also an urgent plea for the media to stop focusing on sideshows and hold our careless, foolish State officials accountable for what they need to do now.
This breach is reasonably likely to lead to identity theft of many of the victims, but if the Secretary of State and other representatives of the State stop acting like fools for just a short while, they can probably prevent most or all of such harm. What the State needs to do is simple, because (if the Secretary of State is telling the truth) the information was released on only 12 discs that were sent to 12 requesters. It needs to:
- use all legal, political and media means at its disposal to get the discs back, rather than just “asking” for them,
- get affidavits from the few recipients that the information was not used, copied or passed on,
- where such affidavits cannot be obtained because there was onward transfer of the SPI, follow that onward transfer until State representatives get such affidavits from every SPI recipient or out such recipients publicly as people who want to put the futures of Georgians at risk and/or prosecute them as identity thieves, and
- communicate effectively that Georgians are being protected.
Simple, right? I want to make it simple, even though making that happen is a bit more complex legally, so all victims and the media understand it. I welcome any questions about the nuances, and particularly invite litigators of all stripes to contribute their expertise to the really important work of protection rather than the sideshow of consumer litigation.
Here’s why consumer litigation protects nobody: As noted before, when the numbers that are lost are the numbers (like SSNs) that cannot change in our broken national system of identity management, the only meaningful protection is protection for life or until we change our system. The only available protection is temporary, and the period of protection is always announced publicly, telling anyone who wants to use the information exactly when the information becomes most vulnerable.
The Atlanta Journal Constitution took the right first steps by publishing the names of all of the entities that received the discs, and by asking at least some of those entities if they returned the discs. Of course they all need to be returned, but with electronic information one always needs enforceable assurances that the information was not used, copied or passed on as suggested above, and one needs to follow the trail of any onward transfer to get those assurances from any possible recipient. Particularly given Doug Craig’s careless, flippant response that “maybe” he would return the disc today, harm prevention through careful response needs to be taken more seriously.
The media is not to be faulted for not getting the criticality of harm prevention when regulators and lawyers do not get it either. The AJC reasonably asked David Vladeck, a very well-intentioned and nice man and the former head of the Federal Trade Commission’s Bureau of Consumer Protection, what he thought. Unfortunately, like the rest of the FTC, Professor Vladeck has not learned enough about harm prevention in breach response. One of the many benefits of the LabMD case’s holding that probability of harm must be shown to meet the first prong of Section 5(n) of the FTC Act — whether it stands now or is upheld by an Article III court later — is that it will force the FTC to distinguish between cases in which harm has been prevented so as to no longer be likely and those in which harm is probable.
We all need to get past our institutional interests — crisis managers’ in crises, media’s in drama, consumer litigators’ in consumer litigation, regulators’ in big issues that expand jurisdiction — in dealing with this and other breaches, to get to our shared interest in protection, and we need to communicate that commitment effectively. This is a breach in which prevention of the harm through effective response — in a way that saves the citizens endless worry and the State tens of millions of dollars in credit monitoring and more in lawsuit defense — should be or should have been truly easy. And that will only work if the State does what it can to ascertain that the SPI was never and will never be misused, and then stops talking about clerical errors and punishing underlings, and starts sounding like it is going to do everything in its power to prevent harm from its careless mistake and prevent that mistake from ever happening again.
Epilogue: After this post was published, Georgia confirmed receipt, non-use, non-copying and non-dissemination of all the discs, and sent that message of protection. So drop the stupid lawsuits and regulatory hysteria; Georgia is nobody’s fool!