Personal Information at Peril in Public Sector

Share Article

A new study suggests consumer information is at heightened risk. Sensitive consumer information in the hands of the public sector has an increased chance of being lost, stolen or unintentionally disclosed compared to consumer information possessed by the private sector. Although public sector enterprises make up as little as one-percent of all U.S. enterprises, public sector mishaps account for 58% of all information security breach incidents and as much as 45% of all the consumer profiles that have been compromised in typical breaches.

An analysis of information breach incidents by J. Campana & Associates ( reveals that U.S. public sector data breaches account for over half of all the reported information security breaches. This is a disproportionately high number of security breach incidents because the public sector makes up about one percent of the total number of U.S. entities.

The public sector, which includes governmental and educational organizations, together with the not-for-profit sector have put more than 60 million consumer profiles at risk through security breaches. Over 45 million consumer profiles were endangered through loss, theft and unintentional disclosure by the government sub-sector. The education sub-sector compromised more than 10 million student, parent, employee and other consumer profiles. A compromised profile includes sensitive consumer information, such as a social security number or financial account number printed on paper or encoded on electronic media, that was lost or stolen, or inappropriately accessed, exposed or disposed.

Dr. Joseph Campana, an identity theft, privacy and information security consultant and author of the study, said, "Consumers whose profiles have been compromised may be at increased risk of having their right to privacy violated or of becoming a victim of identity theft."

Last month, J. Campana & Associates released a focused analytical report on data breaches in the educational sector. That analysis indicated that schools logged a third of all information breach incidents accounting for as many as 25% of all the consumer profiles that were compromised ( The current study includes all three sectors--public, private and volunteer.

The new study shows that federal and state governments reported three-quarters of all breaches compared to local governmental units, which consist of county, city, towns, municipal and special units of government. Breaches by federal and state governments are disproportionately high because federal and state governments compose a few percent of the total units of U.S. government. Dr. Campana offers an alternative interpretation--breach incidents reported by local units of government are disproportionately low because local government makes up the majority of governmental units.

Towns, for example, did not report any breaches within the last three years. Campana suggests it is improbable that the more than 15,000 U.S. towns and townships did not have any breach incidents during this period. Dr. Campana says "it is more likely that smaller units of local government do not have the controls in place to detect security breaches or they are not reporting them when they occur, even though most states require breach notification under law. He says that federal and state governments have privacy and information security compliance programs and consequently are more attentive to monitoring and reporting breaches under breach notification laws.

Dr. Campana says, "Local government may feel a greater obligation to fill potholes than to protect the information that their constituents entrust with them. Information security is a public safety issue; however, most officials and their constituents are not aware of the perils of lax information management compared to other public safety issues. Identity theft appears to be growing, not declining. Federal and state legislators and regulators ought to increase their focus on information security awareness and compliance in local government and educational institutions, just as they have done with the private sector."

Campana's empirical experience is that smaller organizations are significantly less aware, less concerned and non-compliant when it comes to privacy and information security. He says, "consumers and state and federal legislators should be concerned because it is likely that far more consumer information held by local governments is insidiously compromised and used for nefarious purposes compared to the occasional large data breaches that get much of the attention." Campana says he believes there are thousands of data breaches that occur monthly in smaller organizations that go undetected or unreported and that we all should be more concerned."

Joseph Campana is the author of a new book on privacy and information security: Privacy MakeOver: The Essential Guide to Best Practices ( Campana says he wrote the book as a do-it-yourself-guide for small organizations such as local government, schools, non-profit organizations and businesses. He said, "My experience has shown that the reality is that small enterprises do not have the time or the money to figure out how to put a privacy compliance program in place or to pay attorneys and compliance experts to do it for them. I wrote a basic book on the subject so small enterprises could put a reasonable and appropriate privacy and information security program in place quickly and inexpensively."

Almost 35% of the breaches reported by the government sub-sector involved stolen computers and electronic storage media--over 20% involved laptop computers. Ten percent of the incidents reported by state government involved traditional mail, for example, printing social security numbers on mailing labels.

The full report, which covers public, private and volunteer sector breach incidents reported for three calendar years ending December 2008, will available in January 2009. For additional information about the study, contact Dr. Joe Campana or visit

About J. Campana & Associates llc.
J. Campana & Associates llc ( is an identity theft, privacy and information security consulting firm that specializes in educational, compliance and risk management solutions appropriate for small enterprises.


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Joseph Campana, Ph.D., CITRMS, CIPP/G
Visit website