A breach that crosses the line?
Over on Massachusetts Data Privacy Law Blog, John H. Lacey writes:
The pinheads over at LulzSec have crossed a major line. They hacked into the Arizona Department of Public Safety and published the names, addresses and other personal information of police officers (including their wives’ names and email addresses). They also published a lot of privileged material regarding ongoing operations, training and intelligence.
As a prosecutor, your home address is sacrosanct. You are sometimes viewed as the “reason” some defendant is going to jail. It gets personal, sometimes real personal. On September 25, 1995, Paul McLaughlin, a prosecutor in Boston, was murdered by a gang member he was prosecuting. He was killed in the parking lot of a commuter rail station. He was on his way home and the murderer knew which train he took. The murderer probably didn’t know where he lived.
It’s one thing to shut down a website, annoying, yes, can be costly, yes, but does anyone get physically hurt? No.
I actually went and looked at the information that LulzSec stole and posted. They posted the actual names and home addresses of Arizona law enforcement officers and their wives and all their contact information. That is incredibly dangerous. I don’t mean a little scary, I mean it’s downright dangerous. There’s a major incident occurring in that part of the country. The Mexican Cartels are killing 30,000+ people to preserve their drug trade. They kill indiscriminately and prefer to kill law enforcement whenever possible. These animals are insane, do you think they would even hesitate going to a residential neighborhood and killing all the inhabitants of a house? And right now members of the Arizona Law Enforcement community are probably organizing round the clock security for their officers (or at least they should be seriously considering it).[…]
Clearly, Mr. Lacey is angry and concerned. And I share his hope that those whose details were published publicly do not come to harm because of the data breach. But what about others’ safety? I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose lives are endangered from fringe elements, women who have tried to escape abusive spouses, porn actors whose families may be harassed by the publication of their names and addresses, confidential informants and law enforcement officers, and immigrants whose personal information was illegally revealed to law enforcement and to media by the actions of Utah state employees. All of those people have been put at risk of physical harm as a result of data breaches.
What message did Utah send when it let people who revealed immigrants’ information off so lightly? Are there two sets of data protection and privacy laws, where if you’re among the protected group, your privacy and physical safety are taken seriously, but if you’re not, too bad and hope you don’t get killed or attacked by anti-immigrant wingnuts?
Yes, I’m angry, too. We’ve known the risks of data breaches leading to harm for years and yet neither the federal government nor states have imposed stringent data protection/security requirements or serious penalties for violators. Will this breach be a wake-up call? I doubt it. If the hackers are ever caught, they will be prosecuted under existing statutes but we still will not deal with the risk of non-financial harm. Until our government truly recognizes that it needs to deal with more than just financial harm, victims of such crimes will continue to have inadequate protection and redress.
That said, it strikes me as hypocritical for people to express shock and rage over a hack that may endanger one group of people while remaining silent when other groups of people are put at risk of harm by hacking. I hope Mr. Lacey and all others who are concerned about law enforcement officers in Arizona will not remain silent in the future when other groups or individuals are put at risk of physical or psychological harm because of data breaches.