Dept of Energy goes Veterans Affairs one better

Well, when it comes to breaches of privacy, the "Hits Just Keep on Comin' " This past week the Department of Energy announced the loss of PII (Personally Identifiable Information) on 1,500 names. Now, this may sound like a minimal number compared to the VA loss of 26.5 million files, but pay close attention to who the records lost by the DOE belonged to. 

Brooks said the file contained names, Social Security numbers, birthdates, codes showing where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors, and the list was compiled as part of their security clearance processing, he said.

So, follow the bouncing ball, folks... this is infomation not only related to names, birthdates and SSNs, but it included work location and SECURITY CLEARANCES ... so how much of a leap does it take to determine where these people live?nCan you say ZABASEARCH??

What's worst about this incident is the most recent losses of information occurred last fall and weren't reported until LAST WEEK.

And similar to the VA, the DOE doesn't find it necessary to remunerate the impacted parties and pay for them to set up security safeguards for their financial records, but rather has suggested to them they make comtacts on their own to the major credit reporting bureaus and obtain free credit reports, ask for flags to be placed on their accounts, and "remain vigilant."

What's hard for me to get my arms around is the fact that many of the people impacted by both of these losses are California residents, and they should be able to seek protection under the provisions of CA SB1386, which requires immediate notification following the compromise of PII:

SEC. 2. Section 1798.29 is added to the Civil Code, to read:

1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

So why is it that private businesses have to notify affected parties "in the most expedient time possible and without unreasonable delay," and the Government can take its own sweet time?