Data Privacy and Security Lessons from the Latest Law Enforcement Data Exposure
When agencies decide to use third-party vendors, they must be aware of any and all potential issues that could arise from the convenience of the service. Recently, a security flaw discovered in SweepWizard, an app developed by ODIN Intelligence to assist law enforcement agencies in managing multi-agency raids, illustrated a prime example of the risks associated with third-party vendors. SweepWizard permitted unauthorized access to sensitive data, including over 1,000 suspects’ social security numbers; law enforcement officers’ names, phone numbers and email addresses; pre-raid briefing locations; and raid locations. Law enforcement agencies were using a free trial of SweepWizard, which claimed to be Criminal Justice Information Services (CJIS) compliant. Later, unknown hackers claimed to possess 16 gigabytes of data from ODIN Intelligence.
SweepWizard is a kind of intelligence sharing, which refers to the collection and dispersion of sensitive data with agencies and third-party vendors to prevent and solve crime. When an agency shares data with a third-party vendor, it must assess whether that shared data will be secured from non-authorized users, foreign adversaries or malicious cyber actors, like ransomware hackers plotting to exploit security vulnerabilities. But an assessment is not foolproof.
The privacy implications of SweepWizard’s data exposure could devastate officers and suspects. Some states provide special protection to law enforcement officers’ personal information because disseminating an officer’s personal information can have dire consequences. Further, the suspects’ names and locations were exposed, which may put people at risk. The suspects could find themselves an internet search away from employment and housing opportunity denial or in the mob justice and vigilantes’ crosshairs, like Richard Jewels and Steven Hatfill.
There are operational implications to consider, too. Raids are most successful when each suspect’s residence is raided simultaneously to prevent the raid details from being leaked. If revealed, officer safety and evidence are severely compromised, and the opportunity to secure incriminating evidence for current or future investigations vanishes. Potential investigative leads vanishing could have devastating consequences, and crime victims will bear that cost. In online child sexual exploitation cases, for example, one suspect can help bring down an entire criminal organization dedicated to exploiting children. An investigator can assume a suspect’s vetted online identity and infiltrate exclusive groups and organizations, which might otherwise be impossible to access.
The Need for a Comprehensive Data Privacy Law
To safeguard public trust and community safety, agencies must apply data privacy and security protection principles to data collected and shared with other agencies or third-party vendors. Generally, there are law enforcement and/or government exceptions from most comprehensive privacy laws. However, agencies must comply with the Federal Bureau of Investigation’s (FBI) CJIS Security Policy if accessing the FBI’s CJIS databases, like fingerprint identification data. The CJIS Security Policy guides law enforcement agencies nationwide to secure and protect criminal justice information from unauthorized access, dissemination and transmission. However, CJIS compliance—even when subject to audits—can fail. That is why we need a comprehensive federal data privacy and security law that third-party vendors must adhere to.
A comprehensive federal data privacy and security law, like the American Data Privacy and Protection Act (ADPPA) proposed in the 117th Congress, is one of the best ways that we can secure our data. In 2022, the ADPPA made significant progress, but ultimately stalled out. Many privacy professionals and groups supported the comprehensive bipartisan privacy bill. It would have brought stability to the legal privacy landscape currently hampered by state-by-state privacy patchwork laws. Multiple provisions in the ADPPA could help prevent breaches like the one that SweepWizard experienced. For example, Section 208 of the ADPPA requires non-exempt entities to implement and maintain security measures adequately to protect data against unauthorized access and acquisition. Section 208 also provides specific requirements that certain entities must meet, including security system vulnerabilities, taking preventive and corrective action, evaluating their systems, retention and disposal schedule, training and an organization’s incident response.
In addition, a fundamental privacy principle conveyed in ADPPA was data minimization, which limits what data an entity may collect, process or transfer. This helps limit the amount of data collected in the first place. Another ADPPA strength was its inclusion of essential privacy principles, like a data retention and disposal schedule that requires “…. the deletion of covered data when such data is required to be deleted by law or is no longer necessary….” While some privacy frameworks touch on data minimization, the ADPPA expanded data minimization with specific and detailed restrictions.
In the SweepWizard data breach, several police investigations from as far back as 2011 were accessed without authorization. Whether that data needed to be retained is unknown—but it seems unlikely. Decade-old multi-agency raid data holds minimal value and should have been deleted from the SweepWizard’s database.
Passing a comprehensive federal privacy and security law and demanding better privacy and security policies from law enforcement agencies will improve community trust and safety. Only then can we work together to secure our data from those who wish to do us harm.
Image credit: Rawpixel.com