Tag: ransomware

Posted on

That Little Driver’s License Card…

Welcome to this week’s Tip of the Hat!

A driver’s license card is the first document many people use to prove their identity, be it at work, or the bank, or the airport. The card has key information needed for organizations and institutions: name, date of birth, address, photo, and the illustrious driver’s license number. Driver’s license cards can be a convenient form of identification, but it can also be a convenient way for your patrons’ identities to be stolen if your library is not careful in its handling of the card’s information.

As part of the library card registration process, many public libraries require some form of identification with a current address to confirm the patron’s home address. These libraries almost always accept driver’s license cards as one form of identification. But what do libraries do with the information on the card? Some record the driver’s license number in the patron record, while others take a photocopy scan of the card (yes, this has happened!). Several libraries use specially programmed barcode scanners to automatically populate the fields in the patron record from the information provided from the driver’s license barcode.

Each method carries its level of risk to the library patron’s privacy. Storing driver’s license numbers in the patron record or other places can open the patron up to identify theft if the library’s systems or physical spaces are compromised. There are various ways to compromise a physical or electronic space. We are familiar with the story of a person breaking into the system to steal information, but sometimes it is a staff person who steals the information. We also can’t forget that a leak is as damaging as a breach – sometimes staff leave the patron record up on the screen at public service desks, or a report printout is left on a desk for anyone to see or take.

Overall, the best way to mitigate the risk of a breach or leak of driver’s license numbers is to not collect or store driver’s license numbers. In the collection stage of the patron data lifecycle, we decide what data to collect. The data you collect should be tied to a specific, demonstrated business need at the point of collection. If you are collecting driver’s license numbers as a way to verify patrons and addresses, what are the business needs for collecting and storing that number in the patron record? You can achieve the same business need by other means, including creating a process of validating the patron record information with the identification without recording additional personal information in the record. Another consideration is that while driver’s license cards are a convenient form of identification, the card might have a name that the patron no longer uses and might have other outdated or incorrect information, including address information if the state does not mail a new card when there is an address change. Finally, not all patrons have driver’s license cards, and your patron registration policies and procedures need to accommodate this reality.

Even if you don’t collect or store the driver’s license number, there are still ways in which the library might inadvertently collect more patron information than they need from the card. Scanning driver’s license barcodes to auto-populate patron registration forms and records can save time in data entry, but be aware that these barcodes carry much more information than what is presented on the card, including gender and even Social Security Numbers. The software that you use to scan the barcodes should only record the information needed for the patron form and not store the additional information in the barcode. Your software vendor should have information about how they treat this extra data; if they do not, then the vendor product is a potential security risk for the library and the patrons which needs to be addressed with the vendor.

No matter how your library handles driver’s license cards, your library should be actively reviewing privacy practices on a regular basis. In 2019, the Contra Costa County Library System decided to stop collecting driver’s license numbers and purged existing numbers from their patron records. This decision came just at the right moment – the library system suffered a ransomware attack at the beginning of 2020. While recent reports state that no personal data was compromised, the risk of identity theft to library patrons would have been much greater if the driver’s license numbers were still stored at the library. In short, it’s never too late to review policies and procedures around patron address verification at your library!

Posted on

Ransomware, CS and Privacy, and #FollowMonday

Welcome to this week’s Tip of the Hat! Summer is in full swing this August, and the Executive Assistant is contemplating where would be the coolest place in the office to park herself to work. While she roams the office and while I make sure she doesn’t make a small blanket fort connected to the office refrigerator, here are a couple of quick links and updates in the privacy and library worlds to start your week.

A refrigerator with its door open, and a green tent set up in front of the open door.
Ransomware strikes another library system

Last month, the Butler County Federated Library System in Pennsylvania became the latest library system to succumb to ransomware. As a result, the system has gone back to using paper to track circulation information. Like other ransomware attacks, the system might have to rebuild their online infrastructure if they are unable to retrieve the ransomed data.

If your library hasn’t been hit with ransomware yet, the best defense against ransomware is to prevent it from taking over your system. Awareness programs and information security training can help with educating staff about the ways that ransomware and other viruses and malware can infiltrate the library system, and regular reminders and updates can also help keep staff current on trends and new infosec practices.

Training can only go so far, though, and having a plan in place will not only help mitigate panic when ransomware takes over a system, but also mitigate any overlooked vulnerabilities concerning patron data privacy. For example, while libraries have used paper for decades to track circulation information, automation in the last few decades has taken over this process. Making sure that staff are trained and have current procedures in handling sensitive patron data in paper format – including storage and disposal – can help protect against inadvertent privacy breaches.

H/T to Jessamyn West for the link!

Is it time for Computer Science curriculums to prioritize privacy?

In an op-ed in Forbes, Kalev Leetaru argues that CS curriculum should follow the way of library and information science and emphasize privacy in their programs. Near the end of the article, Leetaru illustrates the struggle between privacy and analytics:

Privacy naturally conflicts with capability when it comes to data analytics. The more data and the higher resolution it is, the more insight algorithms can yield. Thus, the more companies prioritize privacy and actively delete everything they can and minimize the resolution on what they do have to collect, the less capability their analytics have to offer.

This represents a philosophical tradeoff. On the one hand, computer science students are taught to collect every datapoint they can at the highest resolution they can and to hoard it indefinitely. This extends all the way to things like diagnostic logging that often becomes an everything-or-nothing concept that has led even major companies to have serious security breaches. On the other hand, disciplines like library and information science emphasize privacy over capability, getting rid of data the moment it is safe to do so.

What do you think? Would emphasizing privacy in CS programs change current data privacy practices (or lack thereof) in technology companies?

#FollowMonday – @privacyala

Keeping up with all the latest developments in the privacy field is a challenge. There is so much happening that it can be a full-time job to keep up with all the developments. ALA’s Choose Privacy Every Day Twitter account can help you sift through all the content in a nicely packaged weekly post of the major developments and updates in the privacy world, be it in libraries or out there in the world. You can find out about new legislation, tools to help protect your patrons’ privacy, and yes, there is a section to keep up with the latest data breaches.