For the thousands of Kentucky parents whose children attend public schools, a cyber attack last month on the Department of Education's Infinite Campus website resulted in the inability to access their children's grades, homework assignments and other information. Although this attack just inconvenienced parents, cyber attacks can be much more destructive.
Cyber attacks on state and local government networks occur every single day. To get a sense of just how serious the threat is, we need to look no further than my office, which has already had more than 5,000 unauthorized attempts (i.e., potential attacks) to access our secure network this year alone.
We also can look at the recent devastating cyber attack in South Carolina that enabled hackers to access the tax records, bank account information and Social Security numbers of 3.6 million residents. Also breached was the sensitive information of hundreds of thousands of businesses. In an attempt to redress the situation, the state's elected officials offered all residents and businesses free identity theft prevention and credit monitoring services for a year — to the tune of almost $30 million.
My primary role as state auditor is to serve as the taxpayer watchdog. However, few know that I'm also a cyber watchdog. My office conducts cyber audits for state and other agencies where technology has a significant impact on the processing and reporting of financial information, as well as those agencies that maintain sensitive and confidential information.
We also work with agencies to perform vulnerability scans to look for security weaknesses and risks. This is something my office and previous administrations have been doing, mostly below the radar, for more than two decades. What's new, though, is the ever-growing priority I and future auditors will need to give this role.
We know the bad guys are out there and are trying to attack every day. We must become more proactive about fighting the threat. From tax returns and health records to credit card and banking information and more, our government possesses more personally sensitive information than any other entity. And yet Kentucky is just one of four states without a breach notification law that requires government to notify it citizens when their personal information has been breached. I believe we must change this and protect the privacy and identities of every Kentuckian.
Why is this so important? If a hacker breaches a network and obtains sensitive information, they will likely use that information for nefarious purposes. If we're unaware that our information has been compromised, we're defenseless.
However, if the entity that has been attacked is obligated to notify those whose information was compromised, there are a number of measures they can take to ensure their identity isn't stolen, bank or health records aren't jeopardized, and lives aren't negatively impacted in any other way.
Citizens can, for example, ask their bank to notify them if they detect suspicious activity. Breach-notification laws grant each of us the right to be aware — to be vigilant. Without them, we're at the mercy of government, forced to hope they'll do the right thing by notifying those involved when our information is compromised. I've seen too many cases where systems that relied upon trust rather than accountability resulted in disastrous consequences. When cyber breaches occur, the entity on the receiving end of the attack may be embarrassed and inclined to sweep the incident under the rug. I urge my fellow Kentuckians to view breach notification laws as a basic right.
If it's good enough for 46 other states, then surely it's good enough for us.
Although the Commonwealth Office of Technology, the agency responsible for the commonwealth's technology systems, has internal policies requiring agencies to notify individuals and entities affected by a cyber breach, something as critical as this needs to be enshrined in statute.
I'm confident that between now and the 2014 legislative session, both parties can work together again to provide Kentuckians with the protection they deserve in the face of a threat that our nation's secretary of Homeland Security recently upgraded as being even more serious than terrorism.
My goal will be to work with legislators on both sides of the aisle, as well as other stakeholders, to craft a cyber-protection bill that balances the practical realities of cash-strapped governments with the need to vigorously protect the citizen data they hold.
For more information, visit auditor.ky.gov and follow Auditor Adam Edelen on Twitter @AuditorKY, facebook.com/AuditorKY and youtube.com/AuditorKY. Call 1-800-KY-ALERT or visit our website to report suspected waste and abuse.