With the recent disclosure of the Equifax data breach, I am reminded of another breach last year with Idaho Fish and Game’s vendor for licensing, where the personal information of myself, my child and thousands of other Idahoans was potentially stolen. I was therefore surprised this year when I renewed my fishing license and was again required to provide my Social Security number. Why are we required to provide this sensitive information to an entity which has not protected it, particularly when other means (e.g. driver’s licenses) would suffice for identification and proof of residency?
According to F&G, this information is required by state law. I therefore encourage our Legislature to change the law and require state agencies to limit the data collected to the least amount necessary to accomplish their mission, and to demonstrate that no other options were available when collecting highly sensitive information (e.g. SSN).
Twenty-years of experience in IT, which has included working with public agencies suffering from data breaches, has shown me that there are only two types of entities: those who have suffered a breach and those who don’t yet know it. Our state agencies should treat the people’s data with this in mind.
John Scott, Boise