All eyes have been on Equifax these past few weeks, as the extent of its data breach has unfolded. But, private entities like Equifax are not the only ones collecting huge swaths of data. The federal government also has extensive personal data on large numbers of Americans. And the government is no more secure than Equifax or any other company. In fact, government employees found out in 2015 that the Office of Personnel Management had been breached, exposing the most sensitive personal data to hackers. Just last week, the Securities and Exchange Commission (SEC) revealed that its online filing system, EDGAR, had also been hacked.
Somehow, even in the face of these massive breaches, federal agencies seem reluctant to reconsider the type of data they collect. SEC Chairman Jay Clayton has said that his agency will move forward with the Consolidated Audit Trail, a data collection program that will place even more sensitive data in the hands of the SEC.
In 2015, my former colleague, Mark Calabria, testified to just these risks. Focusing on data collection efforts by the Consumer Financial Protection Bureau (CFPB), he warned the House Financial Services Subcommittee on Oversight and Investigation that the Bureau’s plans to collect transaction-level data would risk exposing millions of consumers’ personal and financial data to hackers. This is despite the fact that the CFPB could fulfill its obligations with aggregate data that would pose no such risk to individual consumers. And yet, the CFPB has shown no signs of heeding these warnings, even in the wake of multiple high-profile data breaches in the intervening years.
I’m sure that each agency believes it is taking steps to protect the data, but I’m equally sure that Equifax thought it was taking steps to protect its data. I’m sure OPM believed it was taking steps to protect its data. (OPM announced only this week that it was hiring a new Chief Information Officer, specifically citing the need for increased cyber security following the breach more than two years ago.) The problem is that as hard as these organizations try to protect their data, the hackers will be trying just as hard to crack it.
There may be legitimate needs for some data collection. But, given the demonstrated risks, there is no excuse for using a dragnet approach. Agencies should be held accountable for the data they claim to need. They should be required to demonstrate, with particularity, why they need the data they say they need. Whenever any part of the government either requires disclosure of or seeks control of individual-level data, it should also be required to explain why aggregate-level data would be insufficient for the stated data collection purpose. These explanations should be publicly available, so that the people can decide whether the government has met its burden of proving that it should be permitted to hold the data it is requesting.
Requesting information is always easy. It requires little effort on the part of the requestor, and it gives the appearance of diligence and near-scientific rigor. Who doesn’t like data-driven solutions? But it is far from costless. It’s time the government justified imposing these costs on the people it is supposed to serve.