IOWA COMPUTER SECURITY http://www.globegazette.com/articles/2010/02/06/news/latest/doc4b6d840e399af353756867.txt#vmix_media_id=10215797

SEE LIST OF BREACHES...............

Security breaches pose doubts over consolidated state systems

By Charlotte Eby, Globe Gazette Des Monies Bureau

A recent breach in the Iowa Racing and Gaming Commission’s database is raising questions about how safe data is in state computer systems.

Various agencies and the state’s universities have experienced numerous breaches in recent years, and those instances are being considered as officials aim to consolidate state computer systems.

Gov. Chet Culver recently issued an executive order to consolidate the state’s e-mail systems and planning and operations of information technology services to the extent possible.

State reorganization efforts moving through the Legislature this year also would consolidate information technologies.

The Jan. 26 breach in one of the racing and gaming commission’s servers occurred when a firewall was down due to human error, said commission Administrator Jack Ketterer.

The server contained a database with more than 80,000 records, including casino employee information with names, birth dates and Social Security numbers.

Ketterer said they did not have any evidence that any information was compromised or that identity theft had occurred.

The commission notified people and is advising those who have received occupational licenses to work at Iowa’s racing and gaming venues to keep a close watch on their credit reports and report any unusual activity to local law enforcement officials.

“We just regret that everybody was inconvenienced,” Ketterer said.

The commission uses a Minneapolis company for IT services, and Ketterer said no similar breaches have occurred in the past.

The security breach at the state’s racing and gaming commission is just the most recent among state agencies and public universities.

Ben Stone, executive director of the American Civil Liberties Union of Iowa, thinks if the government is negligent and allows the theft of someone’s data, it should have to pay damages if that person is a victim of identity theft.

“All of the sudden, they’d find the money to have some really good firewall protection,” Stone said.

Stone has concerns about the consolidation of state computer systems.

“What’s more efficient for government and what’s more efficient for corporations is also more efficient for thieves, and we need to recognize that,” Stone said.

• • •

Rep. Mary Mascher, D-Iowa City, is leading state government reorganization efforts in the Iowa House and stresses a vigilance for computer security.

Mascher said work to upgrade computer systems and find protections should be on an ongoing basis.

“As long as there are computers, there’s going to be breaches. What we will try to accomplish is fewer, and we will try to safeguard the systems to protect private information,” Mascher said.

The reorganization bill calls for IT systems to be consolidated whenever possible. Some state computer systems can’t talk to each other now, Mascher said.

Some agencies such as the Iowa Lottery need to have separate systems for security reasons, Mascher said.

She cited a need to address security breaches within departments.

“That stuff should be really and truly tightened up and the department heads need to be really on top of that in terms of explaining to people why you can’t take certain computers home, why you can’t take certain information out of the building, why it has to be secure and how you protect that,” Mascher said.

Doug Jacobson, a professor of electrical and computer engineering at Iowa State University, said for the most part, Iowa’s state agencies have done a fairly good job of protecting their data.

“The problem is there’s a lot of people out there that are constantly trying things and so you can’t let your guard down at all,” said Jacobson.

Jacobson is the director of the university’s Information Assurance Center and specializes in computer network security.

State Ombudsman William Angrick was an early proponent of a law that would require the notification of people whose data was part of a security breach. A notification law was signed in 2008.

“We didn’t have that type of protection in the past, and now we have that responsibility placed upon the custodians of the records, the keepers of the records, and I think it’s definitely part of the solution,” Angrick said.

Robert Bailey, a spokesman for the Iowa Department of Administrative Services, said the agency applies the latest technologies and safeguards and is schooled in protecting public data. The agency provides technology and information security services to many state government agencies.

The state e-mail system is hit by close to 12 million spam messages a day, Bailey said.

Bailey said consolidation would help officials know what security and detection mechanisms are in place.

“Nothing in this world is failsafe, because for every system you have to block things. You’ve always got, you know, people out there that are trying to do mischief,” Bailey said.

Charlotte Eby can be reached at 515-422-9061 or chareby@aol.com.