I received a phone call from a friend the other night. He was very concerned because he received one of those now infamous letters from the Office of Personnel Management, which indicated that his records were among one of the millions that were taken in the OPM hack. His information was originally submitted as he was applying for a security clearance as part of his employment. The first question he asked was whether the free credit monitoring that was offered by the OPM was worth pursuing. I advised him that he should take advantage of that free offer but along with that, he should also learn about placing a security freeze on all his credit accounts. Brian Krebs’ article on the subject is well-worth taking the time to read. As I continued the conversation with my friend, he revealed a startling piece of information; he started the application process for the secret clearance but he never completed the application. My friend is a bit of a privacy advocate, and he was uncomfortable with providing all the confidential information in an unsecured way. He decided against proceeding with the process. The only reason that the OPM had any of his information is because his employer was going to bid on a government contract and asked the employees to fill out the forms. If you have ever seen the National Security Clearance form, it stretches on for more than 125 pages and asks just about everything about your life, including information about your family. No one could reasonably argue against this process for those who we need to trust in sensitive positions. This is not a criticism of the OPM. They are merely one of the many custodians of the data we offer to them. The problem that is occurring is that companies do not purge the information, even if we terminate our communication with that company. Have you ever been rejected for a job, but the company indicates that they will “keep your application on file in case any future opportunity arises”? This leads to a couple of questions for which we may never receive a satisfactory answer: When we offer our data, and then subsequently decide to rescind that data, can we ever be certain that it is actually destroyed? We have to rely on the promise of the data custodian that they will destroy the data as requested. Is the custodian under any obligation to destroy that data? It may be time for data custodians to offer a process whereby we can be assured that our data is either destroyed when it is no longer needed, or at the very least, stored offline, lest our information can easily go astray. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
