By Mark Rasch
In an earlier article I wrote about the fact that, in an effort to prevent fraud and promote openness, the Treasury Department intended to release biographical and financial information about companies that participated in the Paycheck Protection Program (PPP) loan program. Well, the Treasury Department has done just that. The need for accountability and openness often requires companies and individuals to provide sensitive information to government agencies — and, depending on Freedom of Information Laws (FOIA or FOIL) or so-called “sunshine” laws, this information may be accessible to the press, competitors or to the public generally.
From the standpoint of democracy, accountability and preventing fraud, this is a good thing. From the standpoint of privacy, data security and identity fraud prevention — not so much. And this again points out one of the significant dilemmas associated with information security policies and procedures – accomplishing one goal frequently impedes another. For example, court filings frequently assert (both in complaints and answers) a good deal of personal information about the plaintiff, defendant, related parties, counsel and about the nature of the dispute. While courts either permit or require redaction (removal) of some personal information, things like deposition and trial transcripts, motions, pleadings and other documents may easily find their way into the public domain. While some portions may be effectively scrubbed for personal information, others may not.
The nature of the World Wide Web is such that any information that is “accessible” is, for all intents and purposes, “public.” This includes things like license information, permits, grants, certain government loan and contract information, and the supporting documentation around them.
What companies and individuals should be doing is having an effective method for searching for personal information about themselves, their key employees and their companies and affiliates, both on the World Wide Web (the indexed graphical portion of the Internet) and on the Deep web or the Dark Web (non-indexed, not always graphical). This allows companies to know what information is out there (including stolen data, compromised accounts, stolen passwords) and effectively respond to it through breach response, credit freezes, password changes, multi factor authentication or notification to third parties or customers.
Private information is private. Public information is public. Except when private information is public. Sometimes, public release of personal data is appropriate or unavoidable, but you can try to mitigate at least some of the harmful effects through diligence and awareness.