Today’s headlines, like almost every day’s headlines, are filled with a variety of stories about data breaches, cybersecurity incidents, and resulting privacy compromises. These lead, rightfully, to cries that our cybersecurity be strengthened. One oft-cited example for the need to update our cybersecurity postures and policies is hacking incidents at government agencies such as the Office of Personnel Management (OPM) (0), where sensitive and detailed personnel information on 21.5 million people was subsequently compromised. This example is so gripping because of the intuitive awareness we all have that such records may contain information we would not like released — Social Security numbers, birth dates, disciplinary actions, and perhaps even health information. Chilling indeed. But consider now that similar information (Social Security records, addresses, and disciplinary action) about your children is in the hands of someone without your consent, not by computer hack, but by court order.
As I wrote (1) in an AEI working paper in November, this describes a discovery order made by a court in California:
“The scenario is exactly the reality faced by parents and guardians of children who attended any California public school since January 1, 2008. A federal judge ordered the California Department of Education to gather, consolidate, and disclose to the plaintiffs the complete student records of all California public schoolchildren during this time frame—an estimated 10 million student records. The plaintiffs in Morgan Hill Concerned Parents Association v. California Department of Education, a local parent group and a statewide parent association, will have nearly unfettered access to those students’ records.”
The case is sympathetic to be sure — a group of parents raised concerns that special education students were not receiving the appropriate academic accommodations — but as a matter of law, it is hard to imagine that the scope of the discovery (ten million records) and the breadth of the discovery (for example, Social Security numbers) might have any bearing on the needs of the case. Although the judge later adapted the order to at least control the physical transfer of the data from computer system to computer system, the breadth of the data ordered for release was still extensive.
The risk of personal data disclosure (both intentional and unintentional) increases with such broad orders. To guard against unnecessary data disclosure risks, I argue that a judge can and should first seriously consider whether third-party data is relevant to the case. If the answer is no, the collection of that data should be limited. Data that are necessary may be anonymized to protect a given individual, and unnecessary data can sometimes be completely removed from the record. Judicial concern should particularly be raised if data are already identified by statute as highly sensitive in nature. As I noted (2),
“Congress has spoken to the privacy concerns [implicated in the Morgan Hill case] with two very broad categories of data by enacting highly detailed policy statutes: FERPA protects student records, and HIPAA protects medical records. Of course even if the data at issue fall under these statutes, the courts have a special right to compel disclosure of the data by “judicial order.” The fact that Congress itself has decided certain data are highly sensitive clearly indicates that the court should carefully guard its privileged exception to the statute by asking one simple question: should the court compel disclosure of the requested data?”
There is a key point here to extrapolate to the cybersecurity concerns surrounding our government agencies and entities. Governmental agencies truly concerned about protecting their data should not concentrate only on assuring the integrity of data that have already been collected. Rather, at every stage, government agencies should question the need for data collection in the first place. That means, just as judges must limit data collection to what is “proportional to the needs of the case,” governmental entities (such as school districts) should ask only for the data necessary to accomplish their mandate. There can be no inadvertent disclosure of data one does not have. It just may be that the best first step to preventing the next data breach is governmental respect of personal information privacy.