I’ve been critical of the poor security that allowed the breach of Utah public health records of 780,000 people in Utah in April, so I feel compelled to comment on the firing of the director of technology services. Now that someone has been fired, of course, everything will be OK. Not.
I’m not defending Stephen Fletcher, either for his lack of oversight of data security or his weak efforts to brush the reasons for the Utah data breach aside as an easily fixable blip in policies and procedures. But the state government’s response has been largely political, when the emphasis needs to be on reviewing and then actually improving its data protection programs.
For example, Gov. Gary Herbert, in addition to firing Fletcher, hired an ombudsman to help victims of the breach protect their identities and credit. The state is offering free credit reporting and identity theft insurance. The state also terminated a contractor who provided software without encryption.
The most important first step, however, was hiring Deloitte & Touche to audit the security of the state’s IT systems. What the audits uncover — my guess this will be pretty ugly — and, more important, how the state responds, will hold the key to the likelihood of the next big breach.
Meanwhile, one has to wonder if the failure to provide encryption is the contractor’s, or the failure of the state to require it. I imagine the contractor or some vendor would be more than happy to encrypt the data for a price. Was this an oversight or security on a very tight budget?
The ombudsman is all well and good to make the best of a bad situation, but who is responsible for data security going forward? Who is working with Deloitte to oversee and coordinate the audit with the state’s IT and agency management personnel? And who will be responsible for deciding what actions to take in response to the audit findings?
The taxpayers of Utah should be concerned about how well their tax, motor vehicle and criminal records are protected. They should be asking who was setting the data protection policies and requirements for the IT guy. Where are the managers responsible for the state’s health programs and why aren’t they being called to account?
It appears that Utah has a lot of work to do before it has a viable data protection program, but the early indications are it still doesn’t quite get it.